xboxdevwiki bitnami_mediawiki https://xboxdevwiki.net/Main_Page MediaWiki 1.28.0 first-letter Media Special Talk User User talk xboxdevwiki xboxdevwiki talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk 0 1 1 2016-12-05T07:21:04Z MediaWiki default 0 wikitext text/x-wiki <strong>MediaWiki has been installed.</strong> Consult the [https://meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 3b35bb5dedd5f6980415f4918b3d60d2248c89cb 2 1 2016-12-30T13:16:16Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == * [http://xqemu.com xqemu Xbox emulator] * [https://github.com/xqemu/nxdk New Xbox Development Kit] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] e98ab535aa67a015c30811e6bc6c43b3fafc1e13 10 2 2016-12-30T13:39:20Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] b2ee81025489a447df50850a6fbe071fb8f5e59a 11 10 2016-12-30T13:47:56Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Chat with us in #xqemu on freenode. Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] [[Chihiro]] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 4338e02e5e5ea20ea91d0ec860174c0402d1f9f4 12 11 2016-12-30T13:52:11Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] [[Chihiro]] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] dc4d9a25271e96280765dd1dc9d42aefd84e0f73 13 12 2016-12-30T13:54:36Z 151.217.214.155 0 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 3196b86a38da6c9ec8c5982c1fd3827a00d5a6f3 14 13 2016-12-30T13:57:07Z 151.217.214.155 0 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 3342615fbf06778152f35efecb088b7d8c2eb8be 19 14 2016-12-30T14:03:36Z 151.217.214.155 0 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 206231dc5f247a1dbc59dc20ea3ed594e7a08ac1 21 19 2016-12-30T14:04:34Z 151.217.214.155 0 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 461ce87ec5362b88e75b1b5a73e42e990181a4bd 24 21 2016-12-30T14:10:22Z 151.217.214.155 0 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 9e632c6fbcff95cd7d2344cee3f588d6d4fcc1e8 27 24 2016-12-30T14:16:23Z 151.217.214.155 0 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 2e97918cc94e9f5d4b2a84fe7350327defb9c843 31 27 2017-01-04T12:03:34Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 7d1e73b1c488d6db360bbdfbb4287c44bb92da69 5000 31 2017-03-19T10:36:53Z JayFoxRox 2 /* xboxdevwiki.net */ wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 0f5f91e72539f0f20dc7ff46a3bd21a55fbb5038 5002 5000 2017-03-23T11:25:51Z Eighthpence 2472 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[Bios]] ** [[MCPX]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] be2448d3dd542f96b9207101c664dad2741e1b58 5003 5002 2017-03-23T11:26:01Z Eighthpence 2472 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[BIOS]] ** [[MCPX]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 052d10ac2cd24a33f9c62f921e1d9ca1369df1b3 5004 5003 2017-03-23T11:26:58Z Eighthpence 2472 /* xboxdevwiki.net */ wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 475318ccbb070b8de9a9bacc662c2eee12b703c5 5014 5004 2017-03-23T14:04:20Z Eighthpence 2472 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [[cxbx-reloaded]] * [[cxbx]] * [[dxbx]] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 8f396e6e64f52389a1e6048935d9c67a1607b91e 0 3 4 2016-12-30T13:22:13Z JayFoxRox 2 Created page with "Random resources about xbox hacking [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] [http://www..." wikitext text/x-wiki Random resources about xbox hacking [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] 7c7ce96726cdb69709cedcc8107d9c3c05e9bef6 5 4 2016-12-30T13:24:46Z JayFoxRox 2 wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] * [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] b6e6fbeef1ddcb0fc866be21278075110cf824fb 23 5 2016-12-30T14:08:33Z 151.217.214.155 0 wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] * [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] e41592c6f0e0038abcf0b3ece049bd4ac6a1d804 34 23 2017-01-04T12:25:44Z JayFoxRox 2 wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] * [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] 6882492a44d778f967a282ee88cb8240c4f5c89a 4999 34 2017-03-19T10:33:54Z JayFoxRox 2 wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Matt Borgerson about the Xbox bootrom] 1e2bbb359875543c2768a07b2637403fbc49960a 0 4 6 2016-12-30T13:26:49Z JayFoxRox 2 Created page with "There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I’ll remove them manually… = GoldSrc = {| !..." wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I’ll remove them manually… = GoldSrc = {| ! Title |- | Counter-Strike |} = Source Engine = {| ! Title |- | Half-Life 2 |} = CryEngine 1 = {| ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| !width="10%"| Title !width="8%"| Year !width="13%"| Platform !width="27%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox, PC | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox, PC | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox, PC | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox, Xbox 360, PSP | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox, PC | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, PC | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox, Xbox 360 | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PlayStation 4, PC, Xbox, Mac OS X, IOS, Android, Fire OS | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PlayStation 4, PC, Xbox, Mac OS X, IOS, Android, Fire OS | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PlayStation 4, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Fire OS | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox, PC, GBA | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameC |} 5b158de001b571caa9cd94bd6562737261b446fa 0 7 15 2016-12-30T13:57:51Z 151.217.214.155 0 Created page with "== Lighting == == Skinning ==" wikitext text/x-wiki == Lighting == == Skinning == 1b7d49b0bec8ab267b709949cc3479f1ae18a5c9 0 8 16 2016-12-30T13:58:35Z 151.217.214.155 0 Created page with "== Debugging == PIX from the Microsoft XDK provides great debugging capabilities." wikitext text/x-wiki == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. 9f98c891e2e0a811a9e2cc1e0671bf900a262c96 35 16 2017-01-04T12:34:04Z JayFoxRox 2 wikitext text/x-wiki The NV2A implements https://www.opengl.org/registry/specs/NV/register_combiners.txt (and https://www.opengl.org/registry/specs/NV/register_combiners2.txt ? ) == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. 9bdf8635bf86f0af8d31d34678afd411ed78d34d 0 9 17 2016-12-30T14:02:06Z 151.217.214.155 0 Created page with "== Registers == There are: * 12 temporary registers: R0 to R11 * output registers: oPos, oD0, oD1, oFog, oPts, oB0, oB1, oT0, oT1, oT2, oT3, A0.x * Input data: ??? R12 is a..." wikitext text/x-wiki == Registers == There are: * 12 temporary registers: R0 to R11 * output registers: oPos, oD0, oD1, oFog, oPts, oB0, oB1, oT0, oT1, oT2, oT3, A0.x * Input data: ??? R12 is a mirror of the output register oPos == Instructions == ??? 95f231bf0eeeb5fce5b49a7a1d11417252db87ce 36 17 2017-01-04T12:35:04Z JayFoxRox 2 wikitext text/x-wiki The Xbox implements https://www.opengl.org/registry/specs/NV/vertex_program.txt and https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Registers == There are: * 12 temporary registers: R0 to R11 * output registers: oPos, oD0, oD1, oFog, oPts, oB0, oB1, oT0, oT1, oT2, oT3, A0.x * Input data: ??? R12 is a mirror of the output register oPos == Instructions == ??? e25324d325924e62809789b154715c00d832939a 0 10 18 2016-12-30T14:03:11Z 151.217.214.155 0 Created page with " == Texture formats == == Framebuffer formats ==" wikitext text/x-wiki == Texture formats == == Framebuffer formats == f859795c49a7a0d8d9dde243e5db294f2a4aed04 0 11 20 2016-12-30T14:04:09Z 151.217.214.155 0 Created page with "== Standard Gamepads == == Steering wheels == == Light guns ==" wikitext text/x-wiki == Standard Gamepads == == Steering wheels == == Light guns == 353267a9e34a45d36777dd8190006f5fcacb5f14 0 12 22 2016-12-30T14:05:27Z 151.217.214.155 0 Created page with "The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions ==" wikitext text/x-wiki The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions == c095e07534c23ff43b212cfed924100ae75d312e 0 13 25 2016-12-30T14:11:20Z 151.217.214.155 0 Created page with "== Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version" wikitext text/x-wiki == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version ed4067304d6bcca8c631d4d4694fc024eff404d5 26 25 2016-12-30T14:12:10Z 151.217.214.155 0 wikitext text/x-wiki == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version ==== World ==== ==== Skater ==== ==== HUD ==== 8d6985de4517c10225269b28cad7cc6fa392c9b8 28 26 2016-12-30T14:18:03Z 151.217.214.155 0 /* Skater */ wikitext text/x-wiki == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version ==== World ==== ==== Skater ==== Shader: ==== HUD ==== 93c242cd51413c5f0642f509cc329f6177516c20 29 28 2016-12-30T14:24:42Z 151.217.214.155 0 /* Demo */ wikitext text/x-wiki == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version ==== World ==== ==== Skater ==== Shader: ==== HUD ==== ==== Shadow ==== ===== Skater ===== Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ====== Shader ====== <code> /* Slot 0: 0x00000000 0x007002AA 0x0C361400 0x28200FF8 */ ADD(R2,x, c[128].z, -v1.x); /* Slot 1: 0x00000000 0x00CC001B 0x0836186C 0x28300FF8 */ DPH(R3,x, v0, c[96]); /* Slot 2: 0x00000000 0x00CC201B 0x0836186C 0x24300FF8 */ DPH(R3,y, v0, c[97]); /* Slot 3: 0x00000000 0x00CC401B 0x0836186C 0x22300FF8 */ DPH(R3,z, v0, c[98]); /* Slot 4: 0x00000000 0x00CC601B 0x0836186C 0x28400FF8 */ DPH(R4,x, v0, c[99]); /* Slot 5: 0x00000000 0x00CC801B 0x0836186C 0x24400FF8 */ DPH(R4,y, v0, c[100]); /* Slot 6: 0x00000000 0x00CCA01B 0x0836186C 0x22400FF8 */ DPH(R4,z, v0, c[101]); /* Slot 7: 0x00000000 0x0040021A 0x3400106C 0x2E500FF8 */ MUL(R5,xyz, R3.xyz, v1.x); /* Slot 8: 0x00000000 0x0080001A 0x44004869 0x5E600FF8 */ MAD(R6,xyz, R4.xyz, R2.x, R5.xyz); /* Slot 9: 0x00000000 0x00CEA01B 0x6436186C 0x20708800 */ DPH(oPos,x, R6, c[117]); /* Slot 10: 0x00000000 0x00CEC01B 0x6436186C 0x20704800 */ DPH(oPos,y, R6, c[118]); /* Slot 11: 0x00000000 0x00CEE01B 0x6436186C 0x20702800 */ DPH(oPos,z, R6, c[119]); /* Slot 12: 0x00000000 0x00CF001B 0x6436186C 0x20701800 */ DPH(oPos,w, R6, c[120]); /* Slot 13: 0x00000000 0x0647401B 0xC4361BFF 0x1078E800 */ MUL(oPos,xyz, R12, c[58]); RCC(R1,x, R12.w); /* Slot 14: 0x00000000 0x0087601B 0xC400286C 0x3070E801 */ MAD(oPos,xyz, R12, R1.x, c[59]); </code> 532aa8a461d8705cc69bb1fce347a96b1fd5ad9e 30 29 2016-12-30T14:28:03Z 151.217.214.155 0 /* Skater */ wikitext text/x-wiki == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version ==== World ==== ==== Skater ==== Shader: <code> /* Slot 0: 0x00000000 0x00320000 0x0C36106C 0x21200FF8 */ MOV(R2,w, c[144].x); /* Slot 1: 0x00000000 0x005600FF 0x2554186C 0x21300FF8 */ MUL(R3,w, R2.w, c[176].z); /* Slot 2: 0x00000000 0x00960000 0x0C3413FC 0xDE400FF8 */ MAD(R4,xyz, c[176].x, v0.xyz, R3.w); /* Slot 3: 0x00000000 0x007002AA 0x0C361400 0x28500FF8 */ ADD(R5,x, c[128].z, -v1.x); /* Slot 4: 0x00000000 0x0ACC001B 0x0836186D 0x18640FF8 */ DPH(R6,x, v0, c[96]); EXP(R1,y, R4.x); /* Slot 5: 0x00000000 0x00CC201B 0x0836186C 0x24600FF8 */ DPH(R6,y, v0, c[97]); /* Slot 6: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 7: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 8: 0x00000000 0x00B0801A 0x1436186C 0x28700FF8 */ DP3(R7,x, R1.xyz, c[132]); /* Slot 9: 0x00000000 0x0ACC401B 0x08361955 0x12640FF8 */ DPH(R6,z, v0, c[98]); EXP(R1,y, R4.y); /* Slot 10: 0x00000000 0x00CC601B 0x0836186C 0x28800FF8 */ DPH(R8,x, v0, c[99]); /* Slot 11: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 12: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 13: 0x00000000 0x00B0801A 0x1436186C 0x24700FF8 */ DP3(R7,y, R1.xyz, c[132]); /* Slot 14: 0x00000000 0x0ACC801B 0x08361AA9 0x14840FF8 */ DPH(R8,y, v0, c[100]); EXP(R1,y, R4.z); /* Slot 15: 0x00000000 0x00CCA01B 0x0836186C 0x22800FF8 */ DPH(R8,z, v0, c[101]); /* Slot 16: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 17: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 18: 0x00000000 0x00B0801A 0x1436186C 0x22700FF8 */ DP3(R7,z, R1.xyz, c[132]); /* Slot 19: 0x00000000 0x0040021A 0x6400106C 0x2E900FF8 */ MUL(R9,xyz, R6.xyz, v1.x); /* Slot 20: 0x00000000 0x0080001A 0x8400A86A 0x5EA00FF8 */ MAD(R10,xyz, R8.xyz, R5.x, R9.xyz); /* Slot 21: 0x00000000 0x00560655 0x08AA186C 0x21B00FF8 */ MUL(R11,w, v3.y, c[176].y); /* Slot 22: 0x00000000 0x005780FF 0xB5FE186C 0x21000FF8 */ MUL(R0,w, R11.w, c[188].w); /* Slot 23: 0x00000000 0x0080001A 0x75FE086A 0x9E200FF8 */ MAD(R2,xyz, R7.xyz, R0.w, R10.xyz); /* Slot 24: 0x00000000 0x0097871A 0x0D541068 0x9E300FF8 */ MAD(R3,xyz, -c[188].xyz, v3.z, R2.xyz); /* Slot 25: 0x00000000 0x00AC041B 0x0836186C 0x28400FF8 */ DP3(R4,x, v2, c[96]); /* Slot 26: 0x00000000 0x00AC241B 0x0836186C 0x24400FF8 */ DP3(R4,y, v2, c[97]); /* Slot 27: 0x00000000 0x00AC441B 0x0836186C 0x22400FF8 */ DP3(R4,z, v2, c[98]); /* Slot 28: 0x00000000 0x00AC641B 0x0836186C 0x28600FF8 */ DP3(R6,x, v2, c[99]); /* Slot 29: 0x00000000 0x00AC841B 0x0836186C 0x24600FF8 */ DP3(R6,y, v2, c[100]); /* Slot 30: 0x00000000 0x00ACA41B 0x0836186C 0x22600FF8 */ DP3(R6,z, v2, c[101]); /* Slot 31: 0x00000000 0x0040021A 0x4400106C 0x2E700FF8 */ MUL(R7,xyz, R4.xyz, v1.x); /* Slot 32: 0x00000000 0x0080001A 0x6400A869 0xDE800FF8 */ MAD(R8,xyz, R6.xyz, R5.x, R7.xyz); /* Slot 33: 0x00000000 0x00CEA01B 0x3436186C 0x20708800 */ DPH(oPos,x, R3, c[117]); /* Slot 34: 0x00000000 0x00CEC01B 0x3436186C 0x20704800 */ DPH(oPos,y, R3, c[118]); /* Slot 35: 0x00000000 0x00CEE01B 0x3436186C 0x20702800 */ DPH(oPos,z, R3, c[119]); /* Slot 36: 0x00000000 0x00CF001B 0x3436186C 0x20701800 */ DPH(oPos,w, R3, c[120]); /* Slot 37: 0x00000000 0x00A0001A 0x8435086C 0x21800FF8 */ DP3(R8,w, R8.xyz, R8.xyz); /* Slot 38: 0x00000000 0x00CD321B 0x0836186C 0x20708848 */ DPH(oT0,x, v9, c[105]); /* Slot 39: 0x00000000 0x0833401B 0x0C3613FE 0x1F910FF8 */ MOV(R9,xyzw, c[154]); RSQ(R1,w, R8.w); /* Slot 40: 0x00000000 0x00CD521B 0x0836186C 0x20704848 */ DPH(oT0,y, v9, c[106]); /* Slot 41: 0x00000000 0x0040001A 0x85FE286C 0x2EA00FF8 */ MUL(R10,xyz, R8.xyz, R1.w); /* Slot 42: 0x00000000 0x00B3001B 0xA636186C 0x28B00FF8 */ DP3(R11,x, R10, -c[152]); /* Slot 43: 0x00000000 0x00B3201B 0xA636186C 0x24B00FF8 */ DP3(R11,y, R10, -c[153]); /* Slot 44: 0x00000000 0x00CF001B 0x3436186C 0x20708828 */ DPH(oFog,x, R3, c[120]); /* Slot 45: 0x00000000 0x01500015 0xB400186C 0x2C000FF8 */ MAX(R0,xy, R11.xy, c[128].x); /* Slot 46: 0x00000000 0x00936000 0x0436186E 0x5F200FF8 */ MAD(R2,xyzw, R0.x, c[155], R9); /* Slot 47: 0x00000000 0x00938055 0x0436186C 0x9F300FF8 */ MAD(R3,xyzw, R0.y, c[156], R2); /* Slot 48: 0x00000000 0x0647401B 0xC4361BFF 0x1078E800 */ MUL(oPos,xyz, R12, c[58]); RCC(R1,x, R12.w); /* Slot 49: 0x00000000 0x0057401B 0x3436186C 0x2070F818 */ MUL(oD0,xyzw, R3, c[186]); /* Slot 50: 0x00000000 0x0087601B 0xC400286C 0x3070E801 */ MAD(oPos,xyz, R12, R1.x, c[59]); </code> ==== HUD ==== ==== Shadow ==== ===== Skater ===== Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ====== Shader ====== <code> /* Slot 0: 0x00000000 0x007002AA 0x0C361400 0x28200FF8 */ ADD(R2,x, c[128].z, -v1.x); /* Slot 1: 0x00000000 0x00CC001B 0x0836186C 0x28300FF8 */ DPH(R3,x, v0, c[96]); /* Slot 2: 0x00000000 0x00CC201B 0x0836186C 0x24300FF8 */ DPH(R3,y, v0, c[97]); /* Slot 3: 0x00000000 0x00CC401B 0x0836186C 0x22300FF8 */ DPH(R3,z, v0, c[98]); /* Slot 4: 0x00000000 0x00CC601B 0x0836186C 0x28400FF8 */ DPH(R4,x, v0, c[99]); /* Slot 5: 0x00000000 0x00CC801B 0x0836186C 0x24400FF8 */ DPH(R4,y, v0, c[100]); /* Slot 6: 0x00000000 0x00CCA01B 0x0836186C 0x22400FF8 */ DPH(R4,z, v0, c[101]); /* Slot 7: 0x00000000 0x0040021A 0x3400106C 0x2E500FF8 */ MUL(R5,xyz, R3.xyz, v1.x); /* Slot 8: 0x00000000 0x0080001A 0x44004869 0x5E600FF8 */ MAD(R6,xyz, R4.xyz, R2.x, R5.xyz); /* Slot 9: 0x00000000 0x00CEA01B 0x6436186C 0x20708800 */ DPH(oPos,x, R6, c[117]); /* Slot 10: 0x00000000 0x00CEC01B 0x6436186C 0x20704800 */ DPH(oPos,y, R6, c[118]); /* Slot 11: 0x00000000 0x00CEE01B 0x6436186C 0x20702800 */ DPH(oPos,z, R6, c[119]); /* Slot 12: 0x00000000 0x00CF001B 0x6436186C 0x20701800 */ DPH(oPos,w, R6, c[120]); /* Slot 13: 0x00000000 0x0647401B 0xC4361BFF 0x1078E800 */ MUL(oPos,xyz, R12, c[58]); RCC(R1,x, R12.w); /* Slot 14: 0x00000000 0x0087601B 0xC400286C 0x3070E801 */ MAD(oPos,xyz, R12, R1.x, c[59]); </code> 8383f255d00fa5f862293f7f8d4923302f02f5fa 0 14 32 2017-01-04T12:07:19Z JayFoxRox 2 Created page with " == Fullscreen blit shader == <code> v0.xy { {0,0} {0,1} {1,1} {1,0} } surfaceSize = {640,480} clipRange = {0,16777215} c[58] = { 320, -2..." wikitext text/x-wiki == Fullscreen blit shader == <code> v0.xy { {0,0} {0,1} {1,1} {1,0} } surfaceSize = {640,480} clipRange = {0,16777215} c[58] = { 320, -240, 16777215, 0 } c[59] = { 320.53125, 240.53125, 0, 0} c[100] = { 640, 480, 0, 5.06639553e-05} c[101] = { 0, 0, 0, 1} c[102] = {1/320, -1/240, 1, 1} c[103] = { 1, -1, 0, 0} c[104] = { 0, 0, 0, 0} c[105] = { 320, -240, 16777215, 0 } c[106] = { 320.53125, 240.53125, 0, 0} oD0 = v1 R2.x = 0.0; R9 = {1/320, -1/240, 1, 1} R5.xy = R2.x * { -1, +1 } // -> R5.xy = 0.0 .. FIXME: This makes no sense? R2.x was just set to zero?! [from C104.x !!] /* Slot 3: 0x00000000 0x006CC0AA 0x0C36146C 0x98300FF8 */ ADD(R3,x, c[102].z, -R2); // -> R3.x = C[102].z = 1.0 /* Slot 4: 0x00000000 0x008CC000 0x242A1800 0xDC400FF8 */ MAD(R4,xy, R2.x, c[102].xy, R3.x); // -> R4.xy = R3.xx = {1,1} /* Slot 5: 0x00000000 0x008D2000 0x242A1800 0xDC600FF8 */ MAD(R6,xy, R2.x, c[105].xy, R3.x); // -> R6.xy = R3.xx = {1,1} /* Slot 6: 0x00000000 0x004D4000 0x242A186C 0x2C700FF8 */ MUL(R7,xy, R2.x, c[106].xy); // -> R7.xy = 0.0 /* Slot 7: 0x00000000 0x0080041B 0x0836886D 0x5C800FF8 */ MAD(R8,xy, v2, R4, R5); // -> R8 = v2 * R4 = v2 oT0.xy = R8 * R6 + R7 // -> v2 oT1.xy = R8 * R6 + R7 // -> v2 /* Slot 8: 0x00000000 0x004CA01A 0x0C37286C 0x2FA00FF8 */ MUL(R10,xyzw, c[101].xyz, R9); /* Slot 11: 0x00000000 0x006CE01B 0xA436146C 0x3070F800 */ ADD(oPos,xyzw, R10, -c[103]); /* Slot 12: 0x00000000 0x004C8015 0x942A186C 0x2CB00FF8 */ MUL(R11,xy, R9.xy, c[100].xy); /* Slot 13: 0x00000000 0x00800015 0x082B6857 0x1070C800 */ MAD(oPos,xy, v0.xy, R11.xy, R12.xy); SET FOG: /* Slot 14: 0x00000000 0x004C80FF 0x0DFF886C 0x20708828 */ MUL(oFog,x, c[100].w, R12.w); DO VIEWPORT TRANSFORM: /* Slot 15: 0x00000000 0x0047401B 0xC436186C 0x2070C800 */ MUL(oPos,xy, R12, c[58]); /* Slot 16: 0x00000000 0x0067601B 0xC436106C 0x3070C801 */ ADD(oPos,xy, R12, c[59]); SPACE CONVERSION [XQEMU only]: if (oPos.w == 0.0 || isinf(oPos.w)) { vtx.inv_w = 1.0; } else { vtx.inv_w = 1.0 / oPos.w; } oPos.x = 2.0 * (oPos.x - surfaceSize.x * 0.5) / surfaceSize.x; oPos.y = -2.0 * (oPos.y - surfaceSize.y * 0.5) / surfaceSize.y; if (clipRange.y != clipRange.x) { oPos.z = (oPos.z - 0.5 * (clipRange.x + clipRange.y)) / (0.5 * (clipRange.y - clipRange.x)); } if (oPos.w <= 0.0) { oPos.xyz *= oPos.w; } else { oPos.w = 1.0; } /* Make the world a happy place! */ #if 1 oFog.xyzw = vec4(1.0); oPos.xy = v0.xy; oPos.y *= -1.0; oPos.z = 0.5; oPos.w = 1.0; vtx.inv_w = 1.0; #endif </code> bab0160b062c619772017986637855084e9e4ab3 33 32 2017-01-04T12:12:37Z JayFoxRox 2 wikitext text/x-wiki == Fullscreen blit shader == <code> v0.xy { {0,0} {0,1} {1,1} {1,0} } surfaceSize = {640,480} clipRange = {0,16777215} c[58] = { 320, -240, 16777215, 0 } c[59] = { 320.53125, 240.53125, 0, 0} c[100] = { 640, 480, 0, 5.06639553e-05} c[101] = { 0, 0, 0, 1} c[102] = {1/320, -1/240, 1, 1} c[103] = { 1, -1, 0, 0} c[104] = { 0, 0, 0, 0} c[105] = { 320, -240, 16777215, 0 } c[106] = { 320.53125, 240.53125, 0, 0} /* Slot 0: 0x00000000 0x002D001B 0x0C36106C 0x28200FF8 */ // R2.x = 0.0; MOV(R2,x, c[104]); /* Slot 1: 0x00000000 0x002CC01B 0x0C36106C 0x2F900FF8 */ // R9 = {1/320, -1/240, 1, 1} MOV(R9,xyzw, c[102]); /* Slot 2: 0x00000000 0x024CE200 0x2636186C 0x2C50F81C */ // R5.xy = R2.x * { -1, +1 } // -> R5.xy = 0.0 .. FIXME: This makes no sense? R2.x was just set to zero?! [from C104.x !!] // oD0 = v1 MUL(R5,xy, R2.x, -c[103]); MOV(oD0,xyzw, v1); /* Slot 3: 0x00000000 0x006CC0AA 0x0C36146C 0x98300FF8 */ ADD(R3,x, c[102].z, -R2); // -> R3.x = C[102].z = 1.0 /* Slot 4: 0x00000000 0x008CC000 0x242A1800 0xDC400FF8 */ MAD(R4,xy, R2.x, c[102].xy, R3.x); // -> R4.xy = R3.xx = {1,1} /* Slot 5: 0x00000000 0x008D2000 0x242A1800 0xDC600FF8 */ MAD(R6,xy, R2.x, c[105].xy, R3.x); // -> R6.xy = R3.xx = {1,1} /* Slot 6: 0x00000000 0x004D4000 0x242A186C 0x2C700FF8 */ MUL(R7,xy, R2.x, c[106].xy); // -> R7.xy = 0.0 /* Slot 7: 0x00000000 0x0080041B 0x0836886D 0x5C800FF8 */ MAD(R8,xy, v2, R4, R5); // -> R8 = v2 * R4 = v2 oT0.xy = R8 * R6 + R7 // -> v2 oT1.xy = R8 * R6 + R7 // -> v2 /* Slot 8: 0x00000000 0x004CA01A 0x0C37286C 0x2FA00FF8 */ MUL(R10,xyzw, c[101].xyz, R9); /* Slot 11: 0x00000000 0x006CE01B 0xA436146C 0x3070F800 */ ADD(oPos,xyzw, R10, -c[103]); /* Slot 12: 0x00000000 0x004C8015 0x942A186C 0x2CB00FF8 */ MUL(R11,xy, R9.xy, c[100].xy); /* Slot 13: 0x00000000 0x00800015 0x082B6857 0x1070C800 */ MAD(oPos,xy, v0.xy, R11.xy, R12.xy); SET FOG: /* Slot 14: 0x00000000 0x004C80FF 0x0DFF886C 0x20708828 */ MUL(oFog,x, c[100].w, R12.w); DO VIEWPORT TRANSFORM: /* Slot 15: 0x00000000 0x0047401B 0xC436186C 0x2070C800 */ MUL(oPos,xy, R12, c[58]); /* Slot 16: 0x00000000 0x0067601B 0xC436106C 0x3070C801 */ ADD(oPos,xy, R12, c[59]); SPACE CONVERSION [XQEMU only]: if (oPos.w == 0.0 || isinf(oPos.w)) { vtx.inv_w = 1.0; } else { vtx.inv_w = 1.0 / oPos.w; } oPos.x = 2.0 * (oPos.x - surfaceSize.x * 0.5) / surfaceSize.x; oPos.y = -2.0 * (oPos.y - surfaceSize.y * 0.5) / surfaceSize.y; if (clipRange.y != clipRange.x) { oPos.z = (oPos.z - 0.5 * (clipRange.x + clipRange.y)) / (0.5 * (clipRange.y - clipRange.x)); } if (oPos.w <= 0.0) { oPos.xyz *= oPos.w; } else { oPos.w = 1.0; } /* Make the world a happy place! */ #if 1 oFog.xyzw = vec4(1.0); oPos.xy = v0.xy; oPos.y *= -1.0; oPos.z = 0.5; oPos.w = 1.0; vtx.inv_w = 1.0; #endif </code> 957a172e731d20a44f663c3ba18119f0c7ec74f8 0 3669 5001 2017-03-23T10:50:08Z Eighthpence 2472 Base page creation wikitext text/x-wiki There are 7 Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant Video Chip == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * BIOS no longer flashable * Removed data and power lines from LPC port * Xcalibur video chip == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN TWWFF L is the production line NNNNNN is the number produced that week Y is the last digit of the production year WW is the number of the week FF is the factory code Note, this table contradicts the previous table. {| ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} {| ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 56694cf1a3f8c3f0f80a0b3734a50c4ca2abd831 0 3670 5005 2017-03-23T12:17:10Z Eighthpence 2472 Created page with "The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fa..." wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <code>mov eax,0x80000880 mov dx,0xcf8 out dx,eax</code> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [MCPX Dumping] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. 6f18ac167b3111ceddc03468f907e36bb3bbf5cf 5006 5005 2017-03-23T12:21:22Z Eighthpence 2472 /* Dumping the MCPX ROM */ wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [MCPX Dumping] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. 70d4507638b58f4d95f22344cd35675748b7313e 5012 5006 2017-03-23T14:02:35Z Eighthpence 2472 wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [MCPX Dumping] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] 81708747941a9e26997ea9790edcb2dc427b6e3d 0 3671 5007 2017-03-23T13:18:15Z Eighthpence 2472 Created page with "The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors (there are 4 of them) and also the USB, PCI, IDE, etc, controllers (please rem..." wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors (there are 4 of them) and also the USB, PCI, IDE, etc, controllers (please remove this disclaimer if I'm right, or fix it if I'm wrong.) The MCPX is also the home to the secret [MCPX ROM]. f06da34b4a2a24484069ab630cad8734d068da48 0 3672 5008 2017-03-23T14:00:42Z Eighthpence 2472 Created page with "The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sens..." wikitext text/x-wiki The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sense. First, the 1MB BIOS is actually 256KB of data repeated 4 times. So, if you do: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [MCPX ROM], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [MCPX ROM], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] c257411ca880f0b5c21ca59f1934a0076b98db43 5009 5008 2017-03-23T14:01:03Z Eighthpence 2472 /* Unknown */ wikitext text/x-wiki The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sense. First, the 1MB BIOS is actually 256KB of data repeated 4 times. So, if you do: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the ][MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [MCPX ROM], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] e3cf1462f58d180e144a5ea8b7778ea7cda54976 5010 5009 2017-03-23T14:01:16Z Eighthpence 2472 /* Unknown */ wikitext text/x-wiki The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sense. First, the 1MB BIOS is actually 256KB of data repeated 4 times. So, if you do: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [MCPX ROM], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 976788b00e22bdfbbf39c6e02db1b7083502108b 5011 5010 2017-03-23T14:01:29Z Eighthpence 2472 /* Decoy bootloader */ wikitext text/x-wiki The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sense. First, the 1MB BIOS is actually 256KB of data repeated 4 times. So, if you do: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 15e7d1bd7565954808dd9dffc495cfdce55c77a0 2 3673 5013 2017-03-23T14:03:05Z Eighthpence 2472 Created page with "I'm a prick, don't listen to me." wikitext text/x-wiki I'm a prick, don't listen to me. 0b43dc8a7269a56fc5a0384ec17d1d161fb24e5f 0 3674 5015 2017-03-23T14:11:11Z Eighthpence 2472 Created page with "The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The m..." wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The memory was shared between the CPU and GPU. The [[BIOS]] and [[MCPX ROM]] are also mapped to memory at the top 16MB and the top 512bytes respectively. Code for emulating the memory might consist of: <pre> #define MAIN_MEMORY 64 * 1024 * 1024 #define BIOS_SIZE 256 * 1024 #define BIOS_MEMORY_SIZE 16 * 1024 * 1024 #define BIOS_MEMORY (0xFFFFFFFF - BIOS_MEMORY_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MEMORY (0xFFFFFFFF - MCPX_SIZE + 1) int mcpx_active = 1; uint8_t memory[MAIN_MEMORY] = {0}; uint8_t bios[BIOS_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MAIN_MEMORY) { return memory[location]; } if (mcpx_active && location >= MCPX_MEMORY) { return mcpx[location - MCPX_MEMORY]; } if (location >= BIOS_MEMORY) { return bios[(location - BIOS_MEMORY) % BIOS_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx = 0; } <pre> 54a44db000ca784be54b4e70446db86fe39fa0fa 0 3675 5016 2017-03-23T14:12:39Z Eighthpence 2472 Created page with "The northbridge of the chipset, and is the GPU" wikitext text/x-wiki The northbridge of the chipset, and is the GPU 4db22ca3f18382ad085102b82f88af9470274de0 0 3669 5017 5001 2017-03-23T14:21:57Z Eighthpence 2472 wikitext text/x-wiki There are 7 Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [Video Chip] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * BIOS no longer flashable * Removed data and power lines from LPC port * Xcalibur video chip == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN TWWFF L is the production line NNNNNN is the number produced that week Y is the last digit of the production year WW is the number of the week FF is the factory code Note, this table contradicts the previous table. {| ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} {| ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 857390d425d7cc155ea19f9a7a2118fccaa7a71f 5018 5017 2017-03-23T14:22:05Z Eighthpence 2472 wikitext text/x-wiki There are 7 Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [[Video Chip]] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * BIOS no longer flashable * Removed data and power lines from LPC port * Xcalibur video chip == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN TWWFF L is the production line NNNNNN is the number produced that week Y is the last digit of the production year WW is the number of the week FF is the factory code Note, this table contradicts the previous table. {| ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} {| ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 223490e3ac91eeae7b1292510429c2aa37c5e403 0 3670 5020 5012 2017-03-23T14:53:35Z Eighthpence 2472 /* Dumping the MCPX ROM */ wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[MCPX Dumping]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] e910fdf89cfd4b6ba6237c6bf219523e244738b5 5033 5020 2017-03-28T20:47:32Z Eighthpence 2472 wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[MCPX Dumping]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [MCPX 1.0] * [MCPX 1.1] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] 310bc74f91803379d38de7126fc8213a0f4ba11a 5034 5033 2017-03-28T20:48:02Z Eighthpence 2472 wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[MCPX Dumping]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX 1.0]] * [[MCPX 1.1]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] 365d044afcc95bfe1cf5f7c39710da606f1432d0 5035 5034 2017-03-28T20:55:43Z Eighthpence 2472 wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[MCPX Dumping]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] b19cd8f6959d7a716698aaef54e552a5443850db 0 3677 5021 2017-03-23T15:05:32Z Eighthpence 2472 Created page with "Dumping a BIOS can be done in several ways. == Using a chip reader == The BIOS is an ordinary TSOP and can be read with an ordinary TSOP reader. == Using a softmod exploit..." wikitext text/x-wiki Dumping a BIOS can be done in several ways. == Using a chip reader == The BIOS is an ordinary TSOP and can be read with an ordinary TSOP reader. == Using a softmod exploit == Using a softmod exploit, you can usually choose to 'backup' your Xbox. This dumps a load of information to E:\Backup, including the BIOS. You can then FTP into your Xbox and retrieve it. aabd8f468d044b957bfc93b8f78ffd654d1048fd 0 3672 5022 5011 2017-03-23T15:06:02Z Eighthpence 2472 wikitext text/x-wiki The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sense. First, the 1MB BIOS is actually 256KB of data repeated 4 times. So, if you do: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] d974ebac6953a180ecf7a52ae5142117bac34e58 0 3678 5023 2017-03-27T20:48:37Z Eighthpence 2472 Created page with "== See Also == [[Hard Drive Files]]" wikitext text/x-wiki == See Also == [[Hard Drive Files]] 0a88e6da820ed867351330df4995dac9a64274c8 5066 5023 2017-04-22T09:44:07Z JayFoxRox 2 Add list of kernel exports wikitext text/x-wiki == Kernel exports == {| class="wikitable" |+Kernel exports |- |Name |Ordinal |Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 | |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 | |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 | |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 | |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 | |- |[[Kernel/ExTimerObjectType]] |31 | |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 | |- |[[Kernel/HalDiskModelNumber]] |41 | |- |[[Kernel/HalDiskSerialNumber]] |42 | |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 | |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 | |- |[[Kernel/IoFileObjectType]] |71 | |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 | |- |[[Kernel/KdDebuggerNotPresent]] |89 | |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 | |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 | |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 | |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 | |- |[[Kernel/KeTimeIncrement]] |157 | |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 | |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 | |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 | |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 | |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 | |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 | |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 | |- |[[Kernel/XboxHardwareInfo]] |322 | |- |[[Kernel/XboxHDKey]] |323 | |- |[[Kernel/XboxKrnlVersion]] |324 | |- |[[Kernel/XboxSignatureKey]] |325 | |- |[[Kernel/XeImageFileName]] |326 | |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 | |- |[[Kernel/XePublicKeyData]] |355 | |- |[[Kernel/HalBootSMCVideoMode]] |356 | |- |[[Kernel/IdexChannelObject]] |357 | |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |} == See Also == [[Hard Drive Files]] ff30625d5bd9f43fcae471b715b7dc3362f2e1e1 5067 5066 2017-04-22T10:09:19Z JayFoxRox 2 More kernel exports and some notes wikitext text/x-wiki == Kernel exports == {| class="wikitable" |+Kernel exports |- |Name |Ordinal |Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only?!?? |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only?!?? |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- | |361 |Unused? |- | |362 |Unused? |- | |363 |Unused? |- | |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only?! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only?! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only?! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only?! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only?! |} == See Also == [[Hard Drive Files]] ffe1d0dddba676f57a7cf5ded1270f122fa5b1b4 0 3679 5024 2017-03-27T20:56:46Z Eighthpence 2472 Created page with "The files on the Xbox look something like this (file sizes and MD5 checksums included): <pre> C Audio AmbientAudio AMB_05_ENGINEROOM_LR.wav 5562348..." wikitext text/x-wiki The files on the Xbox look something like this (file sizes and MD5 checksums included): <pre> C Audio AmbientAudio AMB_05_ENGINEROOM_LR.wav 5562348 565b84c327ef10b4854db6d3c943078e AMB_06_COMMUNICATION_LR.wav 5412228 767c124d7260a8c0072ed21fb2d46915 AMB_12_HYDROTHUNDER_LR.wav 6447588 8fe6214758f24524ea7af2f3a30258a0 AMB_EC_Pinger1.wav 1259412 076eb4b27b9ff381a8e188898975fb4d AMB_EC_Steam1.wav 656484 43ac56a62ed8459239b97a39e665af2f AMB_EC_Steam2.wav 943836 337bc7e89097d2b3ddcdb0eab0a92e13 AMB_EC_Steam3.wav 516156 88537eaeed16c6a4475d3b3738623aab AMB_EC_Steam4.wav 746556 b0916cc4d6668a9771afd01496f4e9d7 AMB_EC_Steam5.wav 737340 552e8c32ea1a04f69e98859e56077f1b AMB_EC_Steam6.wav 534588 f4cbc9d9a4f32adf2844ab97df798c76 AMB_EC_Steam7.wav 1021884 f041eb53748e5d47410a188c6e280b15 AMB_EC_Voices1.wav 307932 741c2d6d63ba0b3b464ea5b6b318cdbc AMB_EC_Voices10.wav 525372 28a17555fa442249cbd7861e80bcf5ac AMB_EC_Voices11.wav 313404 1b97f1b14fcab2201da745ed4f44e491 AMB_EC_Voices12.wav 672828 80c65f6b627b259796927adc6dde86f6 AMB_EC_Voices13.wav 362580 026576c28474118b04cc4a09fb6b5480 AMB_EC_Voices2.wav 307644 b3de08af73e56f93c10147e0b7f3bc57 AMB_EC_Voices3.wav 695292 ce594325ac41b2d95bea4a1a2a0449b4 AMB_EC_Voices4.wav 521916 b368c2a8995b000c340d3e1408e0fdc5 AMB_EC_Voices5.wav 292092 bf018e7ad6d6d4531753ef7ea0a1d16e AMB_EC_Voices6.wav 709692 be2f2d7447cb69309595e115f72e5500 AMB_EC_Voices7.wav 502332 1fb09252f8ac69036351661f653da142 AMB_EC_Voices8.wav 313404 aa2849ce3b7df30ffc894322f83a7497 AMB_EC_Voices9.wav 691260 4ff4887384d0d5697df491ea9ce6b51b comm static 1.wav 39012 4820878be0a0c67e2e2bfd1a82e9af60 comm static 2.wav 71052 6db8cae9fd2a8a7cf8fa9d3abe53ea1d comm static 3.wav 104172 2abe2439e393432e6ae4d596c283690c comm static 4.wav 93948 5e00320ced41a87a79aedc7ceaf5d57c comm voice 1.wav 189636 0b208c6775907edc63a65054fc807af5 comm voice 2.wav 196116 7af4f6576c1714391f1aa4a8b0100ca5 comm voice 3.wav 241044 08781a9e45eac3df26142d8478eb684d comm voice 4.wav 69036 948c41545db45969e71c0a5e7614a22f comm voice 5.wav 116484 d67a914b933f85f513f4d8e44d09980a comm voice 6.wav 83796 1f595aeaef1bdfb501a91de7638fe28f comm voice 7.wav 81852 b2b9fa426e3237ddeb79f0536869eca2 comm voice 8.wav 178620 df652e1d62a8b33af6a47acffb4fcadb comm voice 9.wav 110076 39b0f0a3d6d5ec10055b68e602b8675c Control Room Loop ver2.wav 543732 093c1519cb6bd6d6d3930d3f774b3485 Control Room Loop.wav 541860 0f23001b0319a568ac862ec7a1f5ee6f MainAudio Global A Button Select.wav 18708 895b82ec5a33bc8a786e2a690a734de3 Global B Button Back.wav 18708 45e2b8b11534d2da41900fa5ef5418f4 Global Completion Beep.wav 12012 2aa770f713594310639ec15ebf2695af Global Delete_Destroy.wav 41820 cdefc6e08f772d2c4ab77a564dc50183 Global Error Message B.wav 14964 dade2d5ecb0b754ec69d4bb4e887d42e Global Keyboard Stroke 1.wav 7044 e7662531b5b05431966732cb76a6fffa Global Keyboard Stroke 2.wav 11220 b516137d9257d3b975f6d9ad82b75750 Global Main MenuBack3ver2.wav 32892 b825773a71e8d3655bd8998cbbb424f4 Global Main MenuFwd3ver2.wav 24108 e5035e8fb6d1d16c16c1fda2a3339153 Global Progress Bar.wav 235356 d9820e39524a3b37e982fa77004655be Global Scroll Beep.wav 1572 67bc6aba697a1eb2714d8eda84da0405 MemoryAudio Memory Controller Select.wav 15828 54e676b7ff4dcdd295fabf1dfb9290e5 Memory Games Select.wav 45348 9e95263f0767a62119aa38e668248957 Memory Memory Slot Select.wav 12084 bb86674f7a85e0bf6d9dfb569cfcead4 MusicAudio Games Info Screen In MSurr.wav 63348 17a245d749339571cdc0fb9524a0ba20 Games Info Screen In.wav 63348 b02a19fcbbbe8f394c79c560e67fbeb6 Games Info Screen Out MSurr.wav 71052 c8a81e0046acbc0ce5712f7621422b5b Games Info Screen Out.wav 5964 2080b7f318e72e06c8e3c8a03656d03c Music CD Select.wav 30300 1104afb43a6aec2b678cda13befa811e SettingsAudio Settings Lang SubMenu Sel.wav 161340 73a89aab381849b9a51bf097293e9449 Settings Parent SubMenu Sel.wav 21372 74a51e1d0634f2a25585389c77b3dd63 TransitionAudio Games Main Menu In_LR.wav 72132 4ebfcf1125ace7e7417e513cf55faf84 Games Main Menu Out_LR.wav 75444 9f1e83b02961528a8920693ba2654a24 Games Sub Menu In_LR.wav 74220 8be59cc1ea9dd4c1349e446554a9e50c Games Sub Menu Out_LR.wav 83148 0d2b3642ed00c68ff26fea337bb21d17 Music Main Menu In_LR.wav 53484 cd9b4b30a8829689be34e10648b89257 Music Main Menu Out_LR.wav 51036 5dcceccf08ae7d4c537a1ad03d1b4d64 Music Select Track In_LR.wav 68388 80af0c1585d8f6fbfd02623182bc8155 Music Select Track Out_LR.wav 68100 e3aa18fd82b3d34df22e34b4fe3d49ed Settings Main Menu In_LR.wav 188844 7553686ac2ab1f1f9c9e16929ffce5ab Settings Main Menu Out_LR.wav 159252 4bc9fbffabb006fcc6d321ee4ba127ee Settings Sub Menu In_LR.wav 97908 2b6b47c092d70ae2ef926ff521b9d3d1 Settings Sub Menu Out_LR.wav 60468 1439f81e8dfab007d9dda12e3b8d34df fonts XBox Book.xtf 14440996 8f5b7cee650f389f1c5c7bb5f70386bb Xbox.xtf 19124720 de4a26c39de8001b95c749f8d3d22128 xboxdashdata.<see versions> AccountSelection.xip 1322518 497f17cc0941611e438093e5af73feb9 default.xip 1619954 c5f0ac7c917ff431739be68528562990 dvd.xip 167045 64feb8f1e5844fc3d4c4a4269677b8a3 jkeyboard.xip 732966 e2d462cd3df9f57a0d572f3229a87b51 Keyboard.xip 658238 c1b2b05a0a47a521d1f7d05ecb566432 LiveToday.xip 1226668 5f33f99506bb687bad95a735c6a9ea80 mainmenu5.xip 2300516 f2e318a54e2a7326c5b42c6def7d64d4 memory_files2.xip 2708134 295fcaec6ad66b14cf51c94d0ac1b999 Memory2.xip 2218462 4c7fcc324216117b8d54a273eb581c29 Message.xip 801609 abd85ff52590e61e0b7081f650175bae music_copy3.xip 1618605 2f7257186e5093b09a1fe5d96716b0c6 Music_PlayEdit2.xip 2593642 628a0c8ce9ee64a6fd3bc339fbb28913 music2.xip 2007578 4979f2dbcf721c1702cde15ed7961800 PasscodeVerify.xip 2813123 f25f5447def27c67d5842bfc0474b28f settings_adoc.xip 4208200 a73817afb22f622fc4c25bbd291db66a Settings_Clock.xip 1684098 c49e21dacb92d81ed18380e4354904e1 settings_language.xip 1429750 cf45a77a9bf6dc972344c6cee48adacc settings_list.xip 2928635 123a550fafb5c08b7a0c4437f7989820 settings_panel.xip 2813123 f25f5447def27c67d5842bfc0474b28f settings_parental.xip 1008362 1ae35811db2ecf5af08695ae8b681e6d settings_timezone.xip 1371154 b148d86596529ae3abaec6bb3185d13b settings_video.xip 1978178 a91d26866b85bf80005a7fc1ba59b442 settings3.xip 2966303 8d6076c0ee3a22646c0764c34296c8b8 WaitCursor.xip 33641 6ccd2d7f083ef995f3f67ce747e289a9 xodash audio LiveNowAudio Friend Offline.wav 54092 41b7a8fe061a1ff2552c9bf1188736f5 Friend Online.wav 54060 81ccfe1005276370c5cbb3e708807b62 Friend Request.wav 52436 d7c8b57e754b761d1b3101b3e709b3dd Game Invite.wav 29396 cd580938613a5407eb8bcaffe2688667 VoiceChatAudio Voice Chat Join.wav 26156 7fb1fe01240795fcbf564dabfad01b21 Voice Chat Leave.wav 37028 8021bcf17888d2803c0e419cffa7dbb5 media Content Japanese coc_jpn.txt 2347 f2feb7aa376a74240926d158dd74d65d ximejpm.dic 250528 b1a7b55b9694ed6a47a2b901415e6fc5 ximejps.dic 188288 83f581a5d8023013de26eb65b1467486 SavedGame SaveImage.xbx 18432 f378f3f8f19f3f679ee6a3a7497e104d TitleImage.xbx 67584 6327fec35dd1abe0c3f33ac5cde11c10 TitleMeta.xbx 800 630de678413ed09e15ae45aa231c1af6 TChinese twroc.dic 55226 48d0d50142126651f6090ec99e00b8c5 Xbg 3_doublebutton.xbg 207993 42b0b013d2c2e5817a3e4c8ab04bffb4 act_accountpin.xbg 653118 fe632805e6d6729e7e442fc96771a7d9 act_activation.xbg 59625 a7db0e486f391ad9101ee7d9a6abe7ca act_admin_policy.xbg 71938 135c297799488b118e93deb8ba6ea44e act_alt_names.xbg 84324 158225c13adae3057c062fb8f6730be7 act_billing.xbg 226372 fb04f93f5afed327400f6dae41a3f4e8 act_congrats.xbg 145440 4f773200049c715436c27cad462d3725 act_copy_delete.xbg 888221 66321645c2e21dc97221946871ad8894 act_country.xbg 184789 11ef5a0db7ff1c4e57c372f5ca8a474c act_forced_name.xbg 70512 b47c0cd89ef89019b8d4fb7e9f29078a act_id.xbg 80213 d7b2f7b2c8444c353a00b61963a37ff0 act_message_server.xbg 241052 6876fb92e1c92afc662562fb99a5abb4 act_new_opt_in.xbg 283121 2997402d4dd252d0746e5790b35abeab act_online.xbg 77774 dbd09ce5f9fd916724997bbe64aa7e6c act_overwrite.xbg 578090 c71ca452229dcd95bfee26b7d9424f3a act_passcode.xbg 722464 81526772f069a1c81b76254399fb8666 act_restrictions.xbg 198867 ecbfd5abe9bde3f28e7e21722c85e47c act_state.xbg 797805 1f2a1cacb023ac3c754d9548a38e8039 act_sub_3button.xbg 158866 112821cc587d1ad4cc99fa0d0a917273 act_sure.xbg 65137 5c1540d7ccec2c6607c8b0510f8f825a act_user_options.xbg 185180 e496c0538f2b825186b00e30f5709931 act_users2.xbg 88313 12ce8b2ae9d7d450660b7de5aebcaaf8 addfriend.xbg 1890765 f6bf945bea8ef86d593109b2d1866b89 anim_connecting.xbg 1034604 d414eabc933dc46e64b3703c54b8e574 anim_wait_5.xbg 25575 007a7e8f3f4b262414100cc48d8cbdb0 backbutton.xbg 81349 6b894fe7c6392836808dc6230bd7b0d0 bud_actions.xbg 146828 dbc004a2b3081507ae2c2efed71fb4a3 cellwall.xbg 190846 219a43d501df170e4affcae9e4b35e92 contextual.xbg 1937307 007ac7c3ddedad86a662bc9b115d1f00 feedback.xbg 1929240 d26e11eb96b135eac630dfcee1b7e5fb friends.xbg 2224276 afae13fb39cc559c24c85262509e888e gen_dob_tumblers.xbg 1276515 83c24a1a6ed4f405dc0caad816a0a204 gen_exp_tumblers.xbg 1262446 9e4d5fd47c810132f42bf9bc173a1908 gen_large_panel.xbg 210906 814dfbf474a031ab82f6271a4c0648db gen_mess_panel.xbg 347851 397c04b140e03b293b1a104e540d73fc j_candidates.xbg 254619 060728bbf7498173420a45be61b7c339 j_keyboard.xbg 737322 88c480d6b5ab9feb95b3e906760e2373 k_keyboard.xbg 426877 6388aede82d338db42b55752aa5b9d06 keyboard.xbg 375657 873fbf9ec6585103346bf0a381f95d93 keypad.xbg 202889 decf2d76e67af781ad34c220be6308f8 nts_dns.xbg 192159 bd54bc1e4246605937a828b3b6278a95 nts_ip.xbg 202623 9e100d8c7029c20cfc9bd7ee0fa6bc65 nts_settings.xbg 216718 512de7f31ef378651a5e783965ea7f24 nts_status.xbg 181806 0a0d4a2ed3c61c86258d6d3ae3fe3837 nts_wireless.xbg 231935 82a12b613465f617c90c7fdce118adef orb_master.xbg 348747 c259f4d1276582d32044826f6d88cedc selectbutton.xbg 73523 bf0fcf1cde1d1aa92b7335ab5d8c10a3 t_keyboard.xbg 405161 912e6bd830337868cb9b51d30c8c0121 voicechat.xbg 2327218 dd2e8dcea71fc8fa661daa7d6c9b0f6d voicemail.xbg 1948139 662585947a38eff1b5e74e871ea4d5be Xbx button.xbx 10240 fc14f24784a74a5d48004e48880086cb cellwall.xbx 67584 ff23d97f5263ee657cdd7d528bb1c95e darken_opacity.xbx 18432 7f24ebbab4f77fe612d0dd9491001e49 Disabled.xbx 10240 6d8da8de70e262767600d2b84eec43c2 disabled_highlight.xbx 6144 64f4dd2e2f5539ad6a11417abe0ef336 footer.xbx 34816 6a2124d31b374d9c3f426436aec35161 GameHilite_01.xbx 6144 c4fa23bce07f08dd360565d9b267b0b0 highlight.xbx 10240 1e99278554e5d4a0e42b808ebd833385 keyboard_alpha.xbx 18432 65553de7e37186f96942948cbe4639b9 Live_header.xbx 34816 fc46134b8dd7abf183e1d466d5afe6bf live_highlight_disabled.xbx 10240 5a2da8c4c763cdcf6ab7c23deaa64205 LiveChrome.xbx 67584 f64b49852005cc389d205ea1de8d1048 mess_panel_backing.xbx 18432 24459f91d4de55a521d2c75da81ac7de Options.xbx 18432 9e442a174906ef3e06c04c5cd43b6ddd panel1.xbx 18432 7ef04f5b0d0ce60e9ac385d5734d35a3 panel10.xbx 10240 2852c18e0b898a0cd0f74d957d1c4e1f panel11.xbx 18432 188290082b02fc03a2656ffdc131f309 panel12.xbx 18432 bf234eb3313b4af0f04a7eea816b0819 panel13.xbx 18432 c465aaacf64ff98d7e5c7501f15df4cd panel14.xbx 18432 5b52636f2ae781df267c27ba4f1fa1f4 panel15.xbx 10240 43ce1530ac07161c65b1ff5d02ddaf07 panel16.xbx 18432 1c35588436ba6d4a437fb1d22e8ed029 panel17.xbx 10240 7b9d574182f87b7c8bb9b1f16d07a234 panel18.xbx 18432 192a162567836159e44355a13b108ec6 panel19.xbx 18432 3d205c154cd434ae46009670b8a5c830 panel2.xbx 18432 4958bbd39d6adc867a323bd14e7fedfb panel20.xbx 18432 70fcee44a106f94f3d505b8fe36e89bd panel3.xbx 18432 7ddc37a40c11f91c4f5709275753682c panel4.xbx 18432 54ca9e18cadcabd704eff52270cf5aef panel5.xbx 18432 9a92cefceb843e4b634ef4862b2838f0 panel6.xbx 18432 5220d145a2d73f10018f822b746a33f9 panel7.xbx 18432 0fb78b53c5b037f006342a10f13447f5 panel8.xbx 18432 212a8b96d91eaab3788d33ea3f0f99d0 panel9.xbx 18432 25b985d4c995f4898ea1c3344cf0d2f0 Plain_header.xbx 34816 494a987d8bf0000ff972ec0926aa08dd pulse_3D_64_matte_trans.xbx 4096 7d9b93b859d90f855dbb0a17170821bc Pulse1.xbx 34816 364898b79abf0110779b849a4df38154 ridges.xbx 34816 caabfdb8e5aa2390d001d60247ff3b72 wireframe.xbx 10240 48468dbefff5fb21d52f8b66418a89f2 xbox2.xbx 264192 e86870b16246b4399a86c592a1f87b3b xbox4.xbx 67584 67f33ec44e706a322e2550a342340a3c xboxlogo.xbx 264192 77cf58d065229b28edda8b08709ac31d xboxlogow.xbx 264192 c4816fb72fe27cd18bb04a109b9facd1 update.xbe 2260992 <see versions> xonlinedash.xbe 2617344 <see versions> XBox Book.xtf 17068868 54751950aa215228a4915955f7d2ce0c Xbox.xtf 15613736 0466dd6c19ec9c1785e8aadfc8c5269e xboxdash.xbe 1961984 <see versions> E TDATA UDATA </pre> I have seen a few differences. I thought all my Xboxs had the same dashboard version, but I have 2 slightly different versions of files: == 185ead00 == Here are the differences for this dashboard <pre> C xboxdashdata.185ead00 xodash update.xbe 2260992 bc99ef8730158ba1bf3f1c9c84520661 xonlinedash.xbe 2617344 8149654a030d813bcc02a24f39fd3ce9 xboxdash.xbe 1961984 08d3a6f99184679aa13008d6397bacce </pre> == 185a6100 == Here are the differences for this dashboard <pre> C xboxdashdata.185a6100 xodash update.xbe 2260992 78ad0f3f0cb83010728e00457a778121 xonlinedash.xbe 2617344 01dd6c8aa72b473ba1523c73c6527d86 xboxdash.xbe 1961984 1fa397b44ec78965ef955539fd8f4fbd </pre> d4607dabcb01a877e9533ecad2f3798847496c4a 0 12 5025 22 2017-03-28T10:00:43Z Eighthpence 2472 /* List of known versions */ wikitext text/x-wiki The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions == 5849 (Dec 2003) 8e11eab0228c3e55d742a0bcce03c6f34c045aa6 5049 5025 2017-03-31T09:38:11Z PatrickvL 2473 Completed the list, plus a bit of history wikitext text/x-wiki The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions == * 3424 (alpha?) * 3911 (*) * 3925 (*) * 3936 (*) * 3937 (*) * 3941 (*) * 3948 (*) * 3950 (*) * 4034 (*) * 4039 (*) * 4134 (*) * 4242 (*) * 4361 * 4400 (rare) * 4432 * 4531 * 4627 * 4721 * 4831 * 4928 * 5028 * 5120 * 5233 * 5344 * 5455 * 5558 * 5659 * 5788 * 5849 (Dec 2003) * 5849.16 * 5933 (uncertain number - Dxbx code mentions 5911) (*) : Earlier XDK's contained libraries with different versions numbers. Before or around XDK version 4361, all libraries in the XDK were given the same version number. Note : An even more complete listing can be found here : http://codeasm.com/xbox/files/Xbox%20Kernel_Dash_XDK%20versions.txt 333d2b2afc28ed9683b75b531a891bd2716e3c74 0 1 5026 5014 2017-03-28T15:31:02Z PatrickvL 2473 Updated 2 links wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [[cxbx]] * [http://dxbx-emu.com Dxbx] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] ac86f9857c62b0b1243fcd70a5b5778f089d6711 5029 5026 2017-03-28T20:29:57Z Eighthpence 2472 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [[cxbx]] * [http://dxbx-emu.com Dxbx] * [[Xeon]] * [[Hackbox]] * [[kvmbox]] * [[MAME/Chihiro]] * [[MAME/Xbox]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 69a3d6a1982a0282fe688772f063e1f439423996 5032 5029 2017-03-28T20:43:32Z Eighthpence 2472 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 2e33ca46329f06557462cd2d1261555521003612 5040 5032 2017-03-29T12:51:12Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] e1da30f8f00a82b9e0d6ecdcfedf352521c9273c 5045 5040 2017-03-29T13:33:26Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 015cae19ebd9e526485e1b361b3c0ce930f389eb 5047 5045 2017-03-29T13:41:51Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode or [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded/Lobby on gitter.im]. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] b5f997cdc8533acfc95539b9720e8dc44aab7506 5059 5047 2017-04-21T21:42:09Z JayFoxRox 2 wikitext text/x-wiki == xboxdevwiki.net == Please help us fix this mess. This is an effort to document how the original Microsoft Xbox and the SEGA Chihiro work. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode or [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded/Lobby on gitter.im]. ---- Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] b24fb5fec95260cdfa354c83781a5027213536b2 0 3680 5027 2017-03-28T20:27:38Z Eighthpence 2472 Created page with "Seemingly abandoned, but then sprung back into life in 2016 after 7 years of inactivity. == References == [http://openxdk.sourceforge.net/]" wikitext text/x-wiki Seemingly abandoned, but then sprung back into life in 2016 after 7 years of inactivity. == References == [http://openxdk.sourceforge.net/] f5d177534ca1117264e8ed52c1e29439917faa74 5028 5027 2017-03-28T20:27:56Z Eighthpence 2472 /* References */ wikitext text/x-wiki Seemingly abandoned, but then sprung back into life in 2016 after 7 years of inactivity. == References == [http://openxdk.sourceforge.net/ openxdk.sourceforge.net] 3a421a138fd39b850c3dfdfb44f7192c81ab50a4 0 3681 5030 2017-03-28T20:36:01Z Eighthpence 2472 Created page with "The CPU in the Xbox was a custom Pentium 3 running at 733MHz. The 'custom' part of this was that that the Pentium 3 in the Xbox was that it had only 128KB L2 cache instead of..." wikitext text/x-wiki The CPU in the Xbox was a custom Pentium 3 running at 733MHz. The 'custom' part of this was that that the Pentium 3 in the Xbox was that it had only 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs. == References == * [https://software.intel.com/en-us/articles/intel-sdm Intel® 64 and IA-32 Architectures Software Developer Manuals] (Sorry, I can't find just the documentation for the Pentium 3. Enjoy 4600+ pages, half of which is irrelevant!) 693d74df83de663ca67180c7951883f6240d6a91 0 3682 5031 2017-03-28T20:38:55Z Eighthpence 2472 Created page with "The Xbox is a games console developed by Microsoft and released in 2001. Emulation for it is not up to scratch." wikitext text/x-wiki The Xbox is a games console developed by Microsoft and released in 2001. Emulation for it is not up to scratch. 76381ec1a6dc7d533c141cb6a44e9c6fa48353c8 0 3683 5036 2017-03-28T21:12:56Z Eighthpence 2472 Created page with "If we wish to HLE the MCPX, then there are certain things that can be ignored, for example, getting the CPU to 32 bit protected mode and enabling caching. The pseudo code for..." wikitext text/x-wiki If we wish to HLE the MCPX, then there are certain things that can be ignored, for example, getting the CPU to 32 bit protected mode and enabling caching. The pseudo code for a high level MCPX will look something like this: <pre> coming soon..... </pre> afa6ce0c80ab01eca411d9e025acd466fccc2fb7 5038 5036 2017-03-28T21:26:35Z Eighthpence 2472 wikitext text/x-wiki If we wish to HLE the MCPX, then there are certain things that can be ignored, for example, getting the CPU to 32 bit protected mode and enabling caching. The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) db5e4ed86808a186bf9403bf4e2896fe65f56fd3 0 3674 5037 5015 2017-03-28T21:15:19Z Eighthpence 2472 wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The memory was shared between the CPU and GPU. The [[BIOS]] and [[MCPX ROM]] are also mapped to memory at the top 16MB and the top 512bytes respectively. Code for emulating the memory might consist of: <pre> #define MAIN_MEMORY 64 * 1024 * 1024 #define BIOS_SIZE 256 * 1024 #define BIOS_MEMORY_SIZE 16 * 1024 * 1024 #define BIOS_MEMORY (0xFFFFFFFF - BIOS_MEMORY_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MEMORY (0xFFFFFFFF - MCPX_SIZE + 1) int mcpx_active = 1; uint8_t memory[MAIN_MEMORY] = {0}; uint8_t bios[BIOS_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MAIN_MEMORY) { return memory[location]; } if (mcpx_active && location >= MCPX_MEMORY) { return mcpx[location - MCPX_MEMORY]; } if (location >= BIOS_MEMORY) { return bios[(location - BIOS_MEMORY) % BIOS_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx = 0; } </pre> bf29929d520a9bf6ad9553756d0a9f94c670f0bd 5039 5037 2017-03-29T06:57:00Z Eighthpence 2472 wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[BIOS]] and [[MCPX ROM]] are also mapped to memory at the top 16MB and the top 512bytes respectively. On Debug Xboxs and Chihiro, only the BIOS is mapped. {| ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |BIOS |0xFF000000 - 0xFFFFFFFF |0xFF000000 - 0xFFFFFFFF |- |MCPX |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MAIN_MEMORY 128 * 1024 * 1024 int mcpx_active = 0; #else #define MAIN_MEMORY 64 * 1024 * 1024 int mcpx_active = 1; #endif #define BIOS_SIZE 256 * 1024 #define BIOS_MEMORY_SIZE 16 * 1024 * 1024 #define BIOS_MEMORY (0xFFFFFFFF - BIOS_MEMORY_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MEMORY (0xFFFFFFFF - MCPX_SIZE + 1) uint8_t memory[MAIN_MEMORY] = {0}; uint8_t bios[BIOS_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MAIN_MEMORY) { return memory[location]; } if (mcpx_active && location >= MCPX_MEMORY) { return mcpx[location - MCPX_MEMORY]; } if (location >= BIOS_MEMORY) { return bios[(location - BIOS_MEMORY) % BIOS_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx = 0; } </pre> 9395ffe4ef635a4b052c8416be48dcd8de20fda3 0 4 5041 6 2017-03-29T13:11:56Z JayFoxRox 2 The old version was missing more than half of the list. wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable" ! Title |- | Counter-Strike |} = Source Engine = {| class="wikitable" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here] and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 22f07ca80ef85575f05a8002d11db60395c4f592 1 3684 5042 2017-03-29T13:19:23Z JayFoxRox 2 Created page with "We should get output from cpuid here" wikitext text/x-wiki We should get output from cpuid here 2c2065a44314918bcc4cfa80614bbd0e1e82d4ba 5043 5042 2017-03-29T13:19:45Z JayFoxRox 2 wikitext text/x-wiki We should get output from cpuid here --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 06:19, 29 March 2017 (PDT) ad034dc8b007d019d1439800b962a26030fad271 0 3685 5044 2017-03-29T13:30:39Z JayFoxRox 2 Temporary hack wikitext text/x-wiki === Known tricky behaviour === ==== Skinning code / Shader rounding mode ==== This game suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation. [[File:http://i.imgur.com/tpmLpjP.png]] IIRC Code is like: A0 = c[113].x + c[113].z = 18 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].x + c[113].z = 21 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].y * v2 *do stuff with c[96+A0] to c[98+A0]* c[113] is vec4(15, 765, 3, 0). 765 = 3*255. v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255. A0 = 765 * raw/255 = 3*raw. This should all be working, but it's not. NV2A expects round-to-zero, GLSL and other modern graphic APIs have it undefined.. It works with A0 += 1.0/255.0 as a temporary hack 28017b01b5194858918843e05eaf8e37b6d6d3a4 5046 5044 2017-03-29T13:37:20Z JayFoxRox 2 wikitext text/x-wiki === Known tricky behaviour === ==== Skinning code / Shader rounding mode ==== This game depends on correct GPU rounding. If an emulator suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation the character models will be very broken. [[File:http://i.imgur.com/tpmLpjP.png]] IIRC Code is like: A0 = c[113].x + c[113].z = 18 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].x + c[113].z = 21 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].y * v2 *do stuff with c[96+A0] to c[98+A0]* c[113] is vec4(15, 765, 3, 0). 765 = 3*255. v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255. A0 = 765 * raw/255 = 3*raw. This should all be working, but it's not. [[NV2A/Vertex Shader]] does round-to-zero. Behaviour for GLSL and other modern graphic APIs is undefined.. To work around this rounding issue <code>A0 += 1.0/255.0</code> can be used as a temporary hack 7e36c80e3d01de4d987dbcec9465fcad1f458938 1 3686 5048 2017-03-29T21:29:02Z JayFoxRox 2 Starting discussion where this list should go wikitext text/x-wiki Shall we merge this with https://en.wikipedia.org/wiki/List_of_Xbox_games and https://en.wikipedia.org/wiki/List_of_Xbox_games_with_alternate_display_modes ? We could just add a column for the engine so the list could be sorted. We could also add a column for all the XDK versions etc - it would be a massive table, but probably useful? Shall we do this somewhere else? google sheets? Shall we use a program to generate a mediawiki version for this wiki? Eitherway, we'd then create a page for every game to mention further technical details (See "Games/" articles) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:29, 29 March 2017 (PDT) 4719ad92409bc5ba2f99180c140b1d7a8c29b514 0 3 5050 4999 2017-04-10T03:27:21Z JayFoxRox 2 wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Matt Borgerson about the Xbox bootrom] * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] 906d41373fcb819f1790a41f02c87ec2bfb6a944 5051 5050 2017-04-11T10:44:49Z JayFoxRox 2 Added 2 more articles wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Matt Borgerson about the Xbox bootrom] * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] 7b4b23e4b8dc3652e6f3d65f8ff0204f06740c2a 0 9 5052 36 2017-04-21T19:26:54Z JayFoxRox 2 More register info, will be refactored soon wikitext text/x-wiki The Xbox implements https://www.opengl.org/registry/specs/NV/vertex_program.txt and https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Registers == * 16 input registers v[0] to v[15] (from vertex, v[0] is fed from LAUNCH_DATA for VSPs) * output registers: o[0] to o[?] (initialized to XYZ=0x00000000 W=0x3F800000) * Following indices are aliased: Pos, oD0, oD1, oFog, oPts, oB0, oB1, oT0, oT1, oT2, oT3 * 1 Address register: A0.x * 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000) * The POS register is mirrored as R12 so it can be used as source operand, so effectively you have 13 temporaries == Instructions == ??? e65d36cb2d37e0980a744479005a6e65c13ff1e4 5053 5052 2017-04-21T19:36:42Z JayFoxRox 2 wikitext text/x-wiki The Xbox implements https://www.opengl.org/registry/specs/NV/vertex_program.txt and https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == * 16 input registers v[0] to v[15] (from vertex, v[0] is fed from LAUNCH_DATA for VSPs) * output registers: o[0] to o[?] (initialized to XYZ=0x00000000 W=0x3F800000) ** Following indices are aliased: Pos, oD0, oD1, oFog, oPts, oB0, oB1, oT0, oT1, oT2, oT3 * 1 Address register: A0.x * 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000) ** The POS register is mirrored as R12 so it can be used as source operand, so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through method [FIXME], with 4x DWORD, ordered XYZW. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, describing the operation: {| class="wikitable" |+Fields |- |Offset (bits) |Size (bits) |Meaning |- |0 |0 |TODO |- |0 |0 |TODO |} 662448e90085c297397905add55eb5bd8572c32e 5054 5053 2017-04-21T21:04:35Z JayFoxRox 2 Added fields wikitext text/x-wiki The Xbox implements https://www.opengl.org/registry/specs/NV/vertex_program.txt and https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == * 16 input registers v[0] to v[15] (from vertex, v[0] is fed from LAUNCH_DATA for VSPs) * output registers: o[0] to o[?] (initialized to XYZ=0x00000000 W=0x3F800000) ** Following indices are aliased: Pos, oD0, oD1, oFog, oPts, oB0, oB1, oT0, oT1, oT2, oT3 * 1 Address register: A0.x * 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000) ** The POS register is mirrored as R12 so it can be used as source operand, so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through method [FIXME], with 4x DWORD, ordered XYZW. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} 30d2dc45d6bd011c30092f331d1465324cc9cdf1 5055 5054 2017-04-21T21:08:00Z JayFoxRox 2 /* Constant space */ wikitext text/x-wiki The Xbox implements https://www.opengl.org/registry/specs/NV/vertex_program.txt and https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == * 16 input registers v[0] to v[15] (from vertex, v[0] is fed from LAUNCH_DATA for VSPs) * output registers: o[0] to o[?] (initialized to XYZ=0x00000000 W=0x3F800000) ** Following indices are aliased: Pos, oD0, oD1, oFog, oPts, oB0, oB1, oT0, oT1, oT2, oT3 * 1 Address register: A0.x * 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000) ** The POS register is mirrored as R12 so it can be used as source operand, so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} e7caddf89e23025af2823da1f2887022f8dc6f8d 5056 5055 2017-04-21T21:13:49Z JayFoxRox 2 more explanations and more mentions of the GL spec wikitext text/x-wiki The Xbox implements https://www.opengl.org/registry/specs/NV/vertex_program.txt and https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [map to the vertex attributes|NV2A/Vertex attributes]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === output registers: o[0] to o[?] (initialized to XYZ=0x00000000 W=0x3F800000) The alias names from the GL extension match. === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[POS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} b37aed12ff7eae86fb3205fcb84f9b11e867e026 5057 5056 2017-04-21T21:29:45Z JayFoxRox 2 wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === output registers: o[0] to o[?] (initialized to XYZ=0x00000000 W=0x3F800000) The alias names from the GL extension match. === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[POS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} 16e9a664a8a7c1f7678b275a881442bcc9564ebe 5060 5057 2017-04-21T21:56:41Z JayFoxRox 2 Added first revision of ouptut register table wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- |Index |GL Name |D3D Name |Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |oD0 |COL0 |Primary color (front-facing) |- |4 |oD1 |COL1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[POS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} dd9754c31e31fa374817c81de8c04adbaed93002 5061 5060 2017-04-21T21:57:25Z JayFoxRox 2 /* Output registers */ wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- |Index |GL Name |D3D Name |Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[POS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} 962c9be066318e1e588b27057fcea8889acdb43a 5062 5061 2017-04-21T21:57:38Z JayFoxRox 2 /* Temporary registers */ wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- |Index |GL Name |D3D Name |Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} 403581c7c42b275287bee9765ca5f40872c88d99 5065 5062 2017-04-22T09:13:25Z JayFoxRox 2 Added opcodes wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- |Index |GL Name |D3D Name |Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- |Meaning |Word |Offset (bits) |Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- |Value |Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- |Value |Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- |Value |Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} 6436c1f15959ab71568e6408ff1df1594d2e2e2c 0 3687 5058 2017-04-21T21:41:16Z JayFoxRox 2 Very rough info wikitext text/x-wiki This article documents the attribute types which are supported by the Xbox GPU. === Normalized unsigned Byte (D3D) === Unsigned bytes aranged as ZYXW (BGRA) in memory (Also see [http://www.opengl.org/registry/specs/ARB/vertex_array_bgra.txt this GL extension]). This is commonly used with an attribute count of 4. FIXME: Does this still work with attribute count =/= 4 ? Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized unsigned Byte (GL) === Unsigned bytes arranged as XYZW (RGBA) in memory. Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized short === Shorts, arranged as XYZW. Each short will be mapped into the range -1.0 to 1.0 FIXME: Verify === Float === IEEE-754 single precision float arranged as XYZW. FIXME: What happens to NaN or denormals? === Short === Shorts, arranged as XYZW. Each short will be mapped into the range -32768.0 to 32767.0 FIXME: Verify === Compressed normal === Each 32 bit attribute is consisting of 11 bit X, 11 bit Y, 10 bit Z. Each component is signed and will be mapped into the range -1.0 to 1.0. FIXME: Verify FIXME: Is the attribute count ignored? 4dcf3ae0be9282d5ca44e81679e6c161d2bf173d 5063 5058 2017-04-21T21:58:38Z JayFoxRox 2 wikitext text/x-wiki This article documents the attribute types which are supported by the Xbox GPU. === Normalized unsigned byte (D3D) === Unsigned bytes aranged as ZYXW (BGRA) in memory (Also see [http://www.opengl.org/registry/specs/ARB/vertex_array_bgra.txt this GL extension]). This is commonly used with an attribute count of 4. FIXME: Does this still work with attribute count =/= 4 ? Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized unsigned byte (GL) === Unsigned bytes arranged as XYZW (RGBA) in memory. Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized short === Shorts, arranged as XYZW. Each short will be mapped into the range -1.0 to 1.0 FIXME: Verify === Float === IEEE-754 single precision float arranged as XYZW. FIXME: What happens to NaN or denormals? === Short === Shorts, arranged as XYZW. Each short will be mapped into the range -32768.0 to 32767.0 FIXME: Verify === Compressed normal === Each 32 bit attribute is consisting of 11 bit X, 11 bit Y, 10 bit Z. Each component is signed and will be mapped into the range -1.0 to 1.0. FIXME: Verify FIXME: Is the attribute count ignored? 98a5d42ad98d5d97e1a408cbc021dfd89e4a29b7 5064 5063 2017-04-22T08:52:51Z JayFoxRox 2 Tried to document draw methods / vertex uploads. Still very wip and unverified wikitext text/x-wiki This article documents the attribute types which are supported by the Xbox GPU. Please take everything with a grain of salt - it's still being researched. == Draw methods == === Draw Arrays === Data uploaded through DMA. Each attribute has it's own offset and stride. Decoded using the attribute information. === Inline Buffer === Data uploaded and decoded through PGRAPH methods. ==== NV097_SET_VERTEX_DATA2F_M ... NV097_SET_VERTEX_DATA2F_M + 0x7c ==== ==== NV097_SET_VERTEX_DATA4F_M ... NV097_SET_VERTEX_DATA4F_M + 0xfc ==== ==== NV097_SET_VERTEX_DATA2S ... NV097_SET_VERTEX_DATA2S + 0x3c ==== ==== NV097_SET_VERTEX_DATA4UB ... NV097_SET_VERTEX_DATA4UB + 0x3c ==== ==== NV097_SET_VERTEX_DATA4S_M ... NV097_SET_VERTEX_DATA4S_M + 0x7c ==== === Inline Array === Data uploaded through PHRAPH method NV097_INLINE_ARRAY. The attributes are tightly packed in that buffer. Decoded using the attribute information. === Inline Elements === Same as "Draw Arrays" but with an extra index buffer. The index buffer is uploaded through PGRAPH methods NV097_ARRAY_ELEMENT16 and NV097_ARRAY_ELEMENT32. == Attribute Types == === Normalized unsigned byte (D3D) === Unsigned bytes aranged as ZYXW (BGRA) in memory (Also see [http://www.opengl.org/registry/specs/ARB/vertex_array_bgra.txt this GL extension]). This is commonly used with an attribute count of 4. FIXME: Does this still work with attribute count =/= 4 ? Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized unsigned byte (GL) === Unsigned bytes arranged as XYZW (RGBA) in memory. Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized short === Shorts, arranged as XYZW. Each short will be mapped into the range -1.0 to 1.0 FIXME: Verify === Float === IEEE-754 single precision float arranged as XYZW. FIXME: What happens to NaN or denormals? === Short === Shorts, arranged as XYZW. Each short will be mapped into the range -32768.0 to 32767.0 FIXME: Verify === Compressed normal === Each 32 bit attribute is consisting of 11 bit X, 11 bit Y, 10 bit Z. Each component is signed and will be mapped into the range -1.0 to 1.0. FIXME: Verify FIXME: Is the attribute count ignored? 3a152188dad662d143d3240e9057005fd10cc066 0 3687 5068 5064 2017-04-22T10:39:24Z JayFoxRox 2 typo wikitext text/x-wiki This article documents the attribute types which are supported by the Xbox GPU. Please take everything with a grain of salt - it's still being researched. == Draw methods == === Draw Arrays === Data uploaded through DMA. Each attribute has it's own offset and stride. Decoded using the attribute information. === Inline Buffer === Data uploaded and decoded through PGRAPH methods. ==== NV097_SET_VERTEX_DATA2F_M ... NV097_SET_VERTEX_DATA2F_M + 0x7c ==== ==== NV097_SET_VERTEX_DATA4F_M ... NV097_SET_VERTEX_DATA4F_M + 0xfc ==== ==== NV097_SET_VERTEX_DATA2S ... NV097_SET_VERTEX_DATA2S + 0x3c ==== ==== NV097_SET_VERTEX_DATA4UB ... NV097_SET_VERTEX_DATA4UB + 0x3c ==== ==== NV097_SET_VERTEX_DATA4S_M ... NV097_SET_VERTEX_DATA4S_M + 0x7c ==== === Inline Array === Data uploaded through PGRAPH method NV097_INLINE_ARRAY. The attributes are tightly packed in that buffer. Decoded using the attribute information. === Inline Elements === Same as "Draw Arrays" but with an extra index buffer. The index buffer is uploaded through PGRAPH methods NV097_ARRAY_ELEMENT16 and NV097_ARRAY_ELEMENT32. == Attribute Types == === Normalized unsigned byte (D3D) === Unsigned bytes aranged as ZYXW (BGRA) in memory (Also see [http://www.opengl.org/registry/specs/ARB/vertex_array_bgra.txt this GL extension]). This is commonly used with an attribute count of 4. FIXME: Does this still work with attribute count =/= 4 ? Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized unsigned byte (GL) === Unsigned bytes arranged as XYZW (RGBA) in memory. Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized short === Shorts, arranged as XYZW. Each short will be mapped into the range -1.0 to 1.0 FIXME: Verify === Float === IEEE-754 single precision float arranged as XYZW. FIXME: What happens to NaN or denormals? === Short === Shorts, arranged as XYZW. Each short will be mapped into the range -32768.0 to 32767.0 FIXME: Verify === Compressed normal === Each 32 bit attribute is consisting of 11 bit X, 11 bit Y, 10 bit Z. Each component is signed and will be mapped into the range -1.0 to 1.0. FIXME: Verify FIXME: Is the attribute count ignored? 6e69f40c621b8b140ac2472a18c27c97f1a5f46b 0 9 5069 5065 2017-04-22T10:45:59Z JayFoxRox 2 Table headers wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- !Index !GL Name !D3D Name !Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- !Meaning !Word !Offset (bits) !Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- !Value !Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} 651e8519c3898a0097342a1dd20bb1a28e95b496 0 3678 5070 5067 2017-04-22T10:46:29Z JayFoxRox 2 Table headers wikitext text/x-wiki == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only?!?? |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only?!?? |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- | |361 |Unused? |- | |362 |Unused? |- | |363 |Unused? |- | |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only?! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only?! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only?! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only?! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only?! |} == See Also == [[Hard Drive Files]] 6142f325b3812d9c00e5a1476900ad8f122789bf 5071 5070 2017-04-22T10:49:14Z SoullessSentinel 2475 wikitext text/x-wiki == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] de5d81730669970581640707e317b5f9d6b54841 5073 5071 2017-04-22T11:06:18Z SoullessSentinel 2475 Consistency of "Devkits only!" wikitext text/x-wiki == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only! |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] 8e56eb4e69266eef10a22ae30e06453ed1d75878 0 3674 5072 5039 2017-04-22T10:50:50Z JayFoxRox 2 Fixed bug in pseudocode wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[BIOS]] and [[MCPX ROM]] are also mapped to memory at the top 16MB and the top 512bytes respectively. On Debug Xboxs and Chihiro, only the BIOS is mapped. {| ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |BIOS |0xFF000000 - 0xFFFFFFFF |0xFF000000 - 0xFFFFFFFF |- |MCPX |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MAIN_MEMORY 128 * 1024 * 1024 int mcpx_active = 0; #else #define MAIN_MEMORY 64 * 1024 * 1024 int mcpx_active = 1; #endif #define BIOS_SIZE 256 * 1024 #define BIOS_MEMORY_SIZE 16 * 1024 * 1024 #define BIOS_MEMORY (0xFFFFFFFF - BIOS_MEMORY_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MEMORY (0xFFFFFFFF - MCPX_SIZE + 1) uint8_t memory[MAIN_MEMORY] = {0}; uint8_t bios[BIOS_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MAIN_MEMORY) { return memory[location]; } if (mcpx_active && location >= MCPX_MEMORY) { return mcpx[location - MCPX_MEMORY]; } if (location >= BIOS_MEMORY) { return bios[(location - BIOS_MEMORY) % BIOS_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> b3efc1257111c2ff867fe55f008b1c5fcd29d3fb 0 3688 5074 2017-04-23T11:57:38Z JayFoxRox 2 Mostly stolen from 3dbrew wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> This is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. <hr> This wiki was started by xqemu (Xbox emulator) authors. It will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode or Cxbx-Reloaded/Lobby on gitter.im. </div> </div> 47b46ecd6231db0c32feb5e486d26d3c3d277783 0 1 5075 5059 2017-04-23T11:58:25Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 0f5ae7e313beff1339b9f752733f16402a806a9d 5081 5075 2017-04-30T01:25:05Z Furon 2477 Added XBDM link wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [http://xqemu.com xqemu Xbox emulator] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 35d1da08f6bc5760ab4a345cbeb008580311d738 0 3671 5076 5007 2017-04-26T19:51:10Z Eighthpence 2472 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors (there are 4 of them) and also the USB, PCI, IDE, etc, controllers (please remove this disclaimer if I'm right, or fix it if I'm wrong.) The MCPX is also the home to the secret [[MCPX ROM]]. 1d6026b885cb23ebdfd027ecb1880517958b85dc 0 3683 5077 5038 2017-04-27T19:10:55Z Eighthpence 2472 wikitext text/x-wiki If we wish to HLE the MCPX, then there are certain things that can be ignored, for example, getting the CPU to 32 bit protected mode and enabling caching. == Xcodes == The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 11b99ec62155e05655b7b18ccd0f02324f246a81 5078 5077 2017-04-27T19:26:38Z Eighthpence 2472 wikitext text/x-wiki If we wish to HLE the MCPX, then there are certain things that can be ignored, for example, getting the CPU to 32 bit protected mode and enabling caching. == Xcodes == The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> == RC4 Decryption of the 2BL == Decryption of the 2BL seems to happen in 4 stages. === Stage 1 === Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> === Stage 2 === Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> === Stage 3 === Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> === Stage 4 === Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95fe4) == MAGIC_NUMBER) { eip = 0x900000; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) d2058613cbff6dd65bf3a17a194d0b2ff9ea42cb 5079 5078 2017-04-27T19:37:29Z Eighthpence 2472 /* Stage 4 */ wikitext text/x-wiki If we wish to HLE the MCPX, then there are certain things that can be ignored, for example, getting the CPU to 32 bit protected mode and enabling caching. == Xcodes == The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> == RC4 Decryption of the 2BL == Decryption of the 2BL seems to happen in 4 stages. === Stage 1 === Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> === Stage 2 === Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> === Stage 3 === Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> === Stage 4 === Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 0366549ca0d66134fcb692655de9144004b88f06 0 3689 5080 2017-04-30T01:23:27Z Furon 2477 Created page wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>C:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 16-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 16-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 2 and Type 3 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, sends a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== TODO 5625f38930f6afaa082ae59146187523179e1834 5082 5080 2017-04-30T01:33:08Z Furon 2477 Correct bit width of first two NAP fields wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>C:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 2 and Type 3 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, sends a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== TODO 23c5b186c482a5f5cb0ff9dbb2d01082cf2f0366 5083 5082 2017-04-30T02:13:32Z Furon 2477 Added external links wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>C:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 2 and Type 3 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, sends a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== TODO ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of Xbox Neighborhood written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 22b1d8e29357e9ff0114673eb4a16505339370ec 5084 5083 2017-04-30T02:18:37Z Furon 2477 Correct Name Length NAP field description wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>C:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, sends a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== TODO ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of Xbox Neighborhood written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. b3071884b06dd06ca4140ace95cc940fc512bacd 5086 5084 2017-04-30T02:28:20Z Furon 2477 Add Xbox Neighborhood links wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>C:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, sends a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. bd1189231c2a8e5812bb8497193f1dfc12a864f0 5088 5086 2017-04-30T21:28:55Z Furon 2477 Expand the RDCP section a bit wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>C:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based, line-oriented, request-response protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client. ===Authentication=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 099059a622cff1558e28aa1e436f40c06d6419f3 5090 5088 2017-05-01T15:26:41Z Furon 2477 Correct location of config file wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based, line-oriented, request-response protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client. ===Authentication=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. e0e3ef99532224a03b730c131e55c7ebcfa73eed 5109 5090 2017-05-09T23:01:00Z Furon 2477 Add overview and status code information to RDCP section wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. ===Overview=== When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or simply <LF>. A command consists of a name and zero or more parameters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameters that contain whitespace must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). Upon receipt of a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== 2xx status codes indicate success, while 4xx codes indicate failure. Each code has a default message, but some commands use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command that doesn't expect to send or receive any additional data. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- ready for binary data : The command is expecting additional binary data from the client. The client must satisfy the command's expectation before sending another command. ; 205- dedicated : The connection has been moved to a dedicated processing thread. ====4xx Failure==== TODO ===Authentication=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 94b8e962fabb3aa92711341bd6df566cedeb5510 5110 5109 2017-05-10T01:55:20Z Furon 2477 Clarify behavior of XBDM after sending code 204 wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. ===Overview=== When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or simply <LF>. A command consists of a name and zero or more parameters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameters that contain whitespace must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). Upon receipt of a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== 2xx status codes indicate success, while 4xx codes indicate failure. Each code has a default message, but some commands use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command that doesn't expect to send or receive any additional data. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- ready for binary data : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final status of the command. ; 205- dedicated : The connection has been moved to a dedicated processing thread. ====4xx Failure==== TODO ===Authentication=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 52c1a70e1234c1a52de0a787a2abb56ad40cd32b 5111 5110 2017-05-10T03:16:16Z Furon 2477 /* 2xx Success */ Fix 200 status wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. ===Overview=== When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or simply <LF>. A command consists of a name and zero or more parameters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameters that contain whitespace must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). Upon receipt of a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== 2xx status codes indicate success, while 4xx codes indicate failure. Each code has a default message, but some commands use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- ready for binary data : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final status of the command. ; 205- dedicated : The connection has been moved to a dedicated processing thread. ====4xx Failure==== TODO ===Authentication=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 8bf934e7a23f423336421ff1a821dc4614939e48 0 3690 5085 2017-04-30T02:25:05Z Furon 2477 Create page wikitext text/x-wiki '''Xbox Neighborhood''' is a Windows shell extension that provides the ability to manages files on Xbox Development Kits in Windows Explorer. d99e8bba380992db83f680b89cad847664203314 5087 5085 2017-04-30T03:22:57Z Furon 2477 Fix typo wikitext text/x-wiki '''Xbox Neighborhood''' is a Windows shell extension that provides the ability to manage files on Xbox Development Kits in Windows Explorer. 7c95b45d46813b4439f5aee9d6b9db3f4916a23a 0 11 5089 20 2017-05-01T03:23:52Z Mborgerson 2478 wikitext text/x-wiki == Standard Gamepads == == Steering wheels == == Light guns == == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} b74a42859d574a55ebf89358c1e2ccdb4510d2b7 5115 5089 2017-05-11T16:24:51Z JayFoxRox 2 Added horrible docs for Steel Batallion Controller wikitext text/x-wiki == Standard Gamepads == == Steering wheels == == Light guns == == Steel Batallion Controller == === USB Device Scriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>//FIXME: Convert to field masks typedef enum { EmergencyEject = 4, CockpitHatch = 5, Ignition = 6, Start = 7, OpenClose = 8, MapZoomInOut = 9, ModeSelect = 10, SubMonitorModeSelect = 11, MainMonitorZoomIn = 12, MainMonitorZoomOut = 13, Gear5 = 41, Gear4 = 40, Gear3 = 39, Gear2 = 38, Gear1 = 37, GearN = 36, GearR = 35, Comm5 = 33, Comm4 = 32, Comm3 = 31, Comm2 = 30, Comm1 = 29, MagazineChange = 28, SubWeaponControl = 27, MainWeaponControl = 26, F3 = 25, F2 = 24, F1 = 23, NightScope = 22, Override = 21, TankDetach = 20, Chaff = 19, Extinguisher = 18, Washing = 17, LineColorChange = 16, Manipulator = 15, ForecastShootingSystem = 14, } LEDEnum; // Sets the intensity of the specified LED in the buffer, but gives the option on whether you want // to send the buffer to the controller. This can be useful for updating multiple LED's at the // same time, but not waiting for the LED buffer to transfer to the device after each call. // &lt;param name=&quot;LightId&quot;&gt;A ControllerLEDEnum value that specifies which LED to modify&lt;/param&gt; // &lt;param name=&quot;Intensity&quot;&gt;The intensity of the LED, ranging from 0 to 15&lt;/param&gt; // &lt;param name=&quot;refreshState&quot;&gt;A boolean value indicating whether to refresh the buffer on the device.&lt;/param&gt; public void SetLEDState(ControllerLEDEnum LightId, int Intensity, bool refreshState) { int hexPos = ((int) LightId) % 2; int bytePos = (((int) LightId) - hexPos) / 2; if (Intensity &gt; 0x0f) Intensity = 0x0f; // Erase the byte position, and set the light intensity rawLEDData[bytePos&amp;= (byte) ((hexPos == 1)?0x0F:0xF0); rawLEDData[bytePos+= (byte) (Intensity * ((hexPos == 1)?0x10:0x01)); if (refreshState) { RefreshLEDState(); } }</pre> == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} 41c2d7b5be5480d70026964b6834035dc3d65e25 5116 5115 2017-05-11T16:39:12Z JayFoxRox 2 Fixup Steel Batallion LED fields wikitext text/x-wiki == Standard Gamepads == == Steering wheels == == Light guns == == Steel Batallion Controller == === USB Device Scriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum; }</pre> == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} 8b0ec8641359dec76f444113d29b2078b63ea8b4 5117 5116 2017-05-11T16:39:44Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == Standard Gamepads == == Steering wheels == == Light guns == == Steel Batallion Controller == === USB Device Scriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} ab732282e79db59e5c20be699ee3292d50e29056 0 3691 5091 2017-05-07T21:05:17Z Wayo 2479 Created page with "== Xbox Live infrastructure == Server: macs.xboxlive.com == Heartbeat == Ethernet II, Src: Microsof_f2:4c:01 (00:50:f2:f2:4c:01), Dst: Broadcast (ff:ff:ff:ff:ff:ff)..." wikitext text/x-wiki == Xbox Live infrastructure == Server: macs.xboxlive.com == Heartbeat == Ethernet II, Src: Microsof_f2:4c:01 (00:50:f2:f2:4c:01), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) 42bc2ad0af363cc382130631a81121b9f2961374 5092 5091 2017-05-07T21:05:41Z Wayo 2479 /* Heartbeat */ wikitext text/x-wiki == Xbox Live infrastructure == Server: macs.xboxlive.com == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) 63416dc63f50c42453a52410708a1fbec7b76fba 5093 5092 2017-05-07T21:28:06Z Wayo 2479 /* Xbox Live infrastructure */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) 511a6f1d33e21b4520e61c1bde444d7e49f5d57c 5094 5093 2017-05-07T21:57:59Z Wayo 2479 wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://www.se7ensins.com/forums/threads/a-detailed-explanation-as-to-why-xbox-live-is-down-for-some.1617925/ https://www.se7ensins.com/forums/threads/a-detailed-explanation-as-to-why-xbox-live-is-down-for-some.1617925/] 9ef5ea3e8bb5daa69cd72d2ddadfa32b5fbe2d57 5095 5094 2017-05-07T22:00:24Z Wayo 2479 /* References and links */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] a7b4e2030c1d6e77a0125565e6918e06e329db9d 5096 5095 2017-05-08T19:05:31Z Wayo 2479 /* Xbox Live infrastructure */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos Authentication === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | ? |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] 3ab16219542a754e8695493bcd8fcf85f54bf45f 5097 5096 2017-05-08T19:26:26Z Wayo 2479 /* Kerberos Authentication */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos Authentication === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] b43ea8131aec732eed65700a8ba824faefc3af61 5098 5097 2017-05-09T07:02:53Z Wayo 2479 wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos Authentication === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* XOnline* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XOnlineGetUsers( XBLAccountusers, &numOfXBLiveAccounts ) | |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) | |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) | |- | XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) | |- | XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XNetGetEthernetLinkStatus() | |- |XOnlineGetLogonUsers() | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] 7a006b273e33ef363219ceb7776bc96edfb3d542 5099 5098 2017-05-09T07:05:13Z Wayo 2479 /* References and links */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos Authentication === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* XOnline* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XOnlineGetUsers( XBLAccountusers, &numOfXBLiveAccounts ) | |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) | |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) | |- | XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) | |- | XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XNetGetEthernetLinkStatus() | |- |XOnlineGetLogonUsers() | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] db22cb960205d8d69a51aa5a6d1b5488d3cb6a32 5101 5099 2017-05-09T09:49:20Z Wayo 2479 Replaced content with "[[Xbox Live]]" wikitext text/x-wiki [[Xbox Live]] 27a7f7759ea018ef5a9f7e053d55438bcff406a4 0 3692 5100 2017-05-09T09:48:38Z Wayo 2479 Created page with "== Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos Authentication === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! descr..." wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos Authentication === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* XOnline* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XOnlineGetUsers( XBLAccountusers, &numOfXBLiveAccounts ) | |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) | |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) | |- | XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) | |- | XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XNetGetEthernetLinkStatus() | |- |XOnlineGetLogonUsers() | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] db22cb960205d8d69a51aa5a6d1b5488d3cb6a32 5102 5100 2017-05-09T09:49:50Z Wayo 2479 /* Xbox Live infrastructure */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* XOnline* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XOnlineGetUsers( XBLAccountusers, &numOfXBLiveAccounts ) | |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) | |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) | |- | XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) | |- | XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XNetGetEthernetLinkStatus() | |- |XOnlineGetLogonUsers() | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] 3b4f1d68cc262158430d463dca7c224d38bc5fb1 5103 5102 2017-05-09T09:54:51Z Wayo 2479 /* Xbox Live Functions */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers( XBLAccountusers, &numOfXBLiveAccounts ) | |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) | |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) | |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) | |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() | |- | | |- | | |- | | |- | | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] 6f11a62930373edd7260934211b239ba88a79da0 5104 5103 2017-05-09T11:35:40Z Wayo 2479 /* Xbox Live Functions */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] a6353b68e2a982e6a8b90254366df88b507a8cc8 5107 5104 2017-05-09T13:02:07Z Wayo 2479 wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] e790a9d0b9b4cfe2dcce34bf3480cd5f81899171 5108 5107 2017-05-09T14:48:00Z Wayo 2479 /* References and links */ wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] f041fe96109513c0441cd8aff80a9a6dd97eb3dd 5112 5108 2017-05-11T14:03:02Z Wayo 2479 Wayo moved page [[Xbox Live]] to [[Network]]: Making it more generic wikitext text/x-wiki == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] f041fe96109513c0441cd8aff80a9a6dd97eb3dd 5114 5112 2017-05-11T14:05:37Z Wayo 2479 wikitext text/x-wiki == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live infrastructure == Kerberos Authentication Server: macs.xboxlive.com === Kerberos === {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Xbox Live Functions == {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] 318b01aef88cc06b683080491ea2328b02bb3827 0 4 5105 5041 2017-05-09T12:19:08Z Wayo 2479 wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 137acdc95e6787bd258e1ef3c34d1d9187faf1b3 5106 5105 2017-05-09T12:19:28Z Wayo 2479 wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 6424aa04b766668eee70bf12eec4379e9a2a6da2 0 3693 5113 2017-05-11T14:03:02Z Wayo 2479 Wayo moved page [[Xbox Live]] to [[Network]]: Making it more generic wikitext text/x-wiki #REDIRECT [[Network]] 33df8dc4bf034e7312e5350fd80f7d07dc1609f0 0 11 5118 5117 2017-05-11T21:43:24Z JayFoxRox 2 wikitext text/x-wiki == Standard Gamepads == == Steering wheels == == Light guns == == Steel Batallion Controller == === USB Device Descriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} e832502e81178b49eea188de3ab597e60a5c8409 5119 5118 2017-05-11T22:48:32Z JayFoxRox 2 /* Steel Batallion Controller */ wikitext text/x-wiki == Standard Gamepads == == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Device Descriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} 21acbe3a7cfe769ca87fcde9f84021fc1056b9b8 5121 5119 2017-05-12T08:01:16Z JayFoxRox 2 Standard Gamepads + Overview wikitext text/x-wiki == XID Overview == XIDs are USB devices. === Wiring === Untested / unverified! Take this with a grain of salt. {| |Pin |Typical cable color |Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === <pre>DPAD_UP = FIELD_MASK(0, 1 << 0) DPAD_DOWN = FIELD_MASK(0, 1 << 1) DPAD_LEFT = FIELD_MASK(0, 1 << 2) DPAD_RIGHT = FIELD_MASK(0, 1 << 3) START = FIELD_MASK(0, 1 << 4) BACK = FIELD_MASK(0, 1 << 5) LEFT_THUMB = FIELD_MASK(0, 1 << 6) RIGHT_THUMB = FIELD_MASK(0, 1 << 7) A = FIELD_MASK(2, 0xFF), // These buttons are analog! B = FIELD_MASK(3, 0xFF), X = FIELD_MASK(4, 0xFF), Y = FIELD_MASK(5, 0xFF), BLACK = FIELD_MASK(6, 0xFF), WHITE = FIELD_MASK(7, 0xFF), LEFT_TRIGGER = FIELD_MASK(8, 0xFF), RIGHT_TRIGGER = FIELD_MASK(9, 0xFF), sThumbLX = FIELD_MASK(10, 0xFFFF), sThumbLY = FIELD_MASK(12, 0xFFFF), sThumbRX = FIELD_MASK(14, 0xFFFF), sThumbRY = FIELD_MASK(16, 0xFFFF),</pre> === Xbox to Controller === <pre>left_actuator_strength = FIELD_MASK(0, 0xFFFF), right_actuator_strength = FIELD_MASK(2, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Device Descriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} 69147005e98a3ee1bf0c0965ec562ae59ebaaaf0 5122 5121 2017-05-12T08:02:02Z JayFoxRox 2 wikitable for wiring wikitext text/x-wiki == XID Overview == XIDs are USB devices. === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === <pre>DPAD_UP = FIELD_MASK(0, 1 << 0) DPAD_DOWN = FIELD_MASK(0, 1 << 1) DPAD_LEFT = FIELD_MASK(0, 1 << 2) DPAD_RIGHT = FIELD_MASK(0, 1 << 3) START = FIELD_MASK(0, 1 << 4) BACK = FIELD_MASK(0, 1 << 5) LEFT_THUMB = FIELD_MASK(0, 1 << 6) RIGHT_THUMB = FIELD_MASK(0, 1 << 7) A = FIELD_MASK(2, 0xFF), // These buttons are analog! B = FIELD_MASK(3, 0xFF), X = FIELD_MASK(4, 0xFF), Y = FIELD_MASK(5, 0xFF), BLACK = FIELD_MASK(6, 0xFF), WHITE = FIELD_MASK(7, 0xFF), LEFT_TRIGGER = FIELD_MASK(8, 0xFF), RIGHT_TRIGGER = FIELD_MASK(9, 0xFF), sThumbLX = FIELD_MASK(10, 0xFFFF), sThumbLY = FIELD_MASK(12, 0xFFFF), sThumbRX = FIELD_MASK(14, 0xFFFF), sThumbRY = FIELD_MASK(16, 0xFFFF),</pre> === Xbox to Controller === <pre>left_actuator_strength = FIELD_MASK(0, 0xFFFF), right_actuator_strength = FIELD_MASK(2, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Device Descriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> == USB Adapters == The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} a6c5e5c4c507ee3d52bd905e3ca091b46ae137b2 5123 5122 2017-05-12T08:04:05Z JayFoxRox 2 Moved USB adapter section to top for visibility wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === <pre>DPAD_UP = FIELD_MASK(0, 1 << 0) DPAD_DOWN = FIELD_MASK(0, 1 << 1) DPAD_LEFT = FIELD_MASK(0, 1 << 2) DPAD_RIGHT = FIELD_MASK(0, 1 << 3) START = FIELD_MASK(0, 1 << 4) BACK = FIELD_MASK(0, 1 << 5) LEFT_THUMB = FIELD_MASK(0, 1 << 6) RIGHT_THUMB = FIELD_MASK(0, 1 << 7) A = FIELD_MASK(2, 0xFF), // These buttons are analog! B = FIELD_MASK(3, 0xFF), X = FIELD_MASK(4, 0xFF), Y = FIELD_MASK(5, 0xFF), BLACK = FIELD_MASK(6, 0xFF), WHITE = FIELD_MASK(7, 0xFF), LEFT_TRIGGER = FIELD_MASK(8, 0xFF), RIGHT_TRIGGER = FIELD_MASK(9, 0xFF), sThumbLX = FIELD_MASK(10, 0xFFFF), sThumbLY = FIELD_MASK(12, 0xFFFF), sThumbRX = FIELD_MASK(14, 0xFFFF), sThumbRY = FIELD_MASK(16, 0xFFFF),</pre> === Xbox to Controller === <pre>left_actuator_strength = FIELD_MASK(0, 0xFFFF), right_actuator_strength = FIELD_MASK(2, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Device Descriptor === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> f700c89c6ccef747aa2885cb7278b069f112c363 5124 5123 2017-05-12T09:07:41Z JayFoxRox 2 /* USB Device Descriptor */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === <pre>DPAD_UP = FIELD_MASK(0, 1 << 0) DPAD_DOWN = FIELD_MASK(0, 1 << 1) DPAD_LEFT = FIELD_MASK(0, 1 << 2) DPAD_RIGHT = FIELD_MASK(0, 1 << 3) START = FIELD_MASK(0, 1 << 4) BACK = FIELD_MASK(0, 1 << 5) LEFT_THUMB = FIELD_MASK(0, 1 << 6) RIGHT_THUMB = FIELD_MASK(0, 1 << 7) A = FIELD_MASK(2, 0xFF), // These buttons are analog! B = FIELD_MASK(3, 0xFF), X = FIELD_MASK(4, 0xFF), Y = FIELD_MASK(5, 0xFF), BLACK = FIELD_MASK(6, 0xFF), WHITE = FIELD_MASK(7, 0xFF), LEFT_TRIGGER = FIELD_MASK(8, 0xFF), RIGHT_TRIGGER = FIELD_MASK(9, 0xFF), sThumbLX = FIELD_MASK(10, 0xFFFF), sThumbLY = FIELD_MASK(12, 0xFFFF), sThumbRX = FIELD_MASK(14, 0xFFFF), sThumbRY = FIELD_MASK(16, 0xFFFF),</pre> === Xbox to Controller === <pre>left_actuator_strength = FIELD_MASK(0, 0xFFFF), right_actuator_strength = FIELD_MASK(2, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> d5e3d7befb6a8eb4261cb4e752f3fefd61cc99e3 5125 5124 2017-05-12T09:11:22Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes <pre>DPAD_UP = FIELD_MASK(2, 1 << 0) DPAD_DOWN = FIELD_MASK(2, 1 << 1) DPAD_LEFT = FIELD_MASK(2, 1 << 2) DPAD_RIGHT = FIELD_MASK(2, 1 << 3) START = FIELD_MASK(2, 1 << 4) BACK = FIELD_MASK(2, 1 << 5) LEFT_THUMB = FIELD_MASK(2, 1 << 6) RIGHT_THUMB = FIELD_MASK(2, 1 << 7) A = FIELD_MASK(4, 0xFF), // These buttons are analog! B = FIELD_MASK(5, 0xFF), X = FIELD_MASK(6, 0xFF), Y = FIELD_MASK(7, 0xFF), BLACK = FIELD_MASK(8, 0xFF), WHITE = FIELD_MASK(9, 0xFF), LEFT_TRIGGER = FIELD_MASK(10, 0xFF), RIGHT_TRIGGER = FIELD_MASK(11, 0xFF), sThumbLX = FIELD_MASK(12, 0xFFFF), sThumbLY = FIELD_MASK(14, 0xFFFF), sThumbRX = FIELD_MASK(16, 0xFFFF), sThumbRY = FIELD_MASK(18, 0xFFFF),</pre> === Xbox to Controller === <pre>left_actuator_strength = FIELD_MASK(0, 0xFFFF), right_actuator_strength = FIELD_MASK(2, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> 89bf79128ed834dba197d254c55f61f61415e9d8 5126 5125 2017-05-12T09:11:37Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes <pre>DPAD_UP = FIELD_MASK(2, 1 << 0) DPAD_DOWN = FIELD_MASK(2, 1 << 1) DPAD_LEFT = FIELD_MASK(2, 1 << 2) DPAD_RIGHT = FIELD_MASK(2, 1 << 3) START = FIELD_MASK(2, 1 << 4) BACK = FIELD_MASK(2, 1 << 5) LEFT_THUMB = FIELD_MASK(2, 1 << 6) RIGHT_THUMB = FIELD_MASK(2, 1 << 7) A = FIELD_MASK(4, 0xFF), // These buttons are analog! B = FIELD_MASK(5, 0xFF), X = FIELD_MASK(6, 0xFF), Y = FIELD_MASK(7, 0xFF), BLACK = FIELD_MASK(8, 0xFF), WHITE = FIELD_MASK(9, 0xFF), LEFT_TRIGGER = FIELD_MASK(10, 0xFF), RIGHT_TRIGGER = FIELD_MASK(11, 0xFF), sThumbLX = FIELD_MASK(12, 0xFFFF), sThumbLY = FIELD_MASK(14, 0xFFFF), sThumbRX = FIELD_MASK(16, 0xFFFF), sThumbRY = FIELD_MASK(18, 0xFFFF),</pre> === Xbox to Controller === 6 bytes <pre>left_actuator_strength = FIELD_MASK(2, 0xFFFF), right_actuator_strength = FIELD_MASK(4, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt rawControlData = new Byte[26]; typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> 0778988fcca7de4382944b677de87ee57418422d 5127 5126 2017-05-12T09:12:02Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes <pre>DPAD_UP = FIELD_MASK(2, 1 << 0) DPAD_DOWN = FIELD_MASK(2, 1 << 1) DPAD_LEFT = FIELD_MASK(2, 1 << 2) DPAD_RIGHT = FIELD_MASK(2, 1 << 3) START = FIELD_MASK(2, 1 << 4) BACK = FIELD_MASK(2, 1 << 5) LEFT_THUMB = FIELD_MASK(2, 1 << 6) RIGHT_THUMB = FIELD_MASK(2, 1 << 7) A = FIELD_MASK(4, 0xFF), // These buttons are analog! B = FIELD_MASK(5, 0xFF), X = FIELD_MASK(6, 0xFF), Y = FIELD_MASK(7, 0xFF), BLACK = FIELD_MASK(8, 0xFF), WHITE = FIELD_MASK(9, 0xFF), LEFT_TRIGGER = FIELD_MASK(10, 0xFF), RIGHT_TRIGGER = FIELD_MASK(11, 0xFF), sThumbLX = FIELD_MASK(12, 0xFFFF), sThumbLY = FIELD_MASK(14, 0xFFFF), sThumbRX = FIELD_MASK(16, 0xFFFF), sThumbRY = FIELD_MASK(18, 0xFFFF),</pre> === Xbox to Controller === 6 bytes <pre>left_actuator_strength = FIELD_MASK(2, 0xFFFF), right_actuator_strength = FIELD_MASK(4, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === <pre>rawLEDData = new Byte[34]; typedef enum { EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> 4b5b9b761dbe1723fec0c3fc387ce93b41681b2a 5128 5127 2017-05-12T09:12:39Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes <pre>DPAD_UP = FIELD_MASK(2, 1 << 0) DPAD_DOWN = FIELD_MASK(2, 1 << 1) DPAD_LEFT = FIELD_MASK(2, 1 << 2) DPAD_RIGHT = FIELD_MASK(2, 1 << 3) START = FIELD_MASK(2, 1 << 4) BACK = FIELD_MASK(2, 1 << 5) LEFT_THUMB = FIELD_MASK(2, 1 << 6) RIGHT_THUMB = FIELD_MASK(2, 1 << 7) A = FIELD_MASK(4, 0xFF), // These buttons are analog! B = FIELD_MASK(5, 0xFF), X = FIELD_MASK(6, 0xFF), Y = FIELD_MASK(7, 0xFF), BLACK = FIELD_MASK(8, 0xFF), WHITE = FIELD_MASK(9, 0xFF), LEFT_TRIGGER = FIELD_MASK(10, 0xFF), RIGHT_TRIGGER = FIELD_MASK(11, 0xFF), sThumbLX = FIELD_MASK(12, 0xFFFF), sThumbLY = FIELD_MASK(14, 0xFFFF), sThumbRX = FIELD_MASK(16, 0xFFFF), sThumbRY = FIELD_MASK(18, 0xFFFF),</pre> === Xbox to Controller === 6 bytes <pre>left_actuator_strength = FIELD_MASK(2, 0xFFFF), right_actuator_strength = FIELD_MASK(4, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0), } LEDEnum;</pre> 62277e21ae704c7a33212e02b2f73d1785574840 5129 5128 2017-05-12T09:13:10Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes <pre>DPAD_UP = FIELD_MASK(2, 1 << 0) DPAD_DOWN = FIELD_MASK(2, 1 << 1) DPAD_LEFT = FIELD_MASK(2, 1 << 2) DPAD_RIGHT = FIELD_MASK(2, 1 << 3) START = FIELD_MASK(2, 1 << 4) BACK = FIELD_MASK(2, 1 << 5) LEFT_THUMB = FIELD_MASK(2, 1 << 6) RIGHT_THUMB = FIELD_MASK(2, 1 << 7) A = FIELD_MASK(4, 0xFF), // These buttons are analog! B = FIELD_MASK(5, 0xFF), X = FIELD_MASK(6, 0xFF), Y = FIELD_MASK(7, 0xFF), BLACK = FIELD_MASK(8, 0xFF), WHITE = FIELD_MASK(9, 0xFF), LEFT_TRIGGER = FIELD_MASK(10, 0xFF), RIGHT_TRIGGER = FIELD_MASK(11, 0xFF), sThumbLX = FIELD_MASK(12, 0xFFFF), sThumbLY = FIELD_MASK(14, 0xFFFF), sThumbRX = FIELD_MASK(16, 0xFFFF), sThumbRY = FIELD_MASK(18, 0xFFFF),</pre> === Xbox to Controller === 6 bytes <pre>left_actuator_strength = FIELD_MASK(2, 0xFFFF), right_actuator_strength = FIELD_MASK(4, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt typedef enum { RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. } ButtonEnum;</pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> e035269e5d47b907e1a7fe5a4f4df86b511407fd 5130 5129 2017-05-12T09:13:30Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes <pre>DPAD_UP = FIELD_MASK(2, 1 << 0) DPAD_DOWN = FIELD_MASK(2, 1 << 1) DPAD_LEFT = FIELD_MASK(2, 1 << 2) DPAD_RIGHT = FIELD_MASK(2, 1 << 3) START = FIELD_MASK(2, 1 << 4) BACK = FIELD_MASK(2, 1 << 5) LEFT_THUMB = FIELD_MASK(2, 1 << 6) RIGHT_THUMB = FIELD_MASK(2, 1 << 7) A = FIELD_MASK(4, 0xFF), // These buttons are analog! B = FIELD_MASK(5, 0xFF), X = FIELD_MASK(6, 0xFF), Y = FIELD_MASK(7, 0xFF), BLACK = FIELD_MASK(8, 0xFF), WHITE = FIELD_MASK(9, 0xFF), LEFT_TRIGGER = FIELD_MASK(10, 0xFF), RIGHT_TRIGGER = FIELD_MASK(11, 0xFF), sThumbLX = FIELD_MASK(12, 0xFFFF), sThumbLY = FIELD_MASK(14, 0xFFFF), sThumbRX = FIELD_MASK(16, 0xFFFF), sThumbRY = FIELD_MASK(18, 0xFFFF),</pre> === Xbox to Controller === 6 bytes <pre>left_actuator_strength = FIELD_MASK(2, 0xFFFF), right_actuator_strength = FIELD_MASK(4, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> 6d24d8e63696b45d9e30a5937aed168b776e95f0 5131 5130 2017-05-12T09:21:32Z JayFoxRox 2 Turned field enum into table (WIP) wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (bits) !Mask (bits) !Notes |- |DPAD_UP |8*2 |1 << 0 | |- |DPAD_DOWN |8*2 |1 << 1 | |- |DPAD_LEFT |8*2 |1 << 2 | |- |DPAD_RIGHT |8*2 |1 << 3 | |- |START |8*2 |1 << 4 | |- |BACK |8*2 |1 << 5 | |- |LEFT_THUMB |8*2 |1 << 6 | |- |RIGHT_THUMB |8*2 |1 << 7 | |- |A |8*4 |0xFF |Button is analog |- |B |8*5 |0xFF |Button is analog |- |X |8*6 |0xFF |Button is analog |- |Y |8*7 |0xFF |Button is analog |- |BLACK |8*8 |0xFF |Button is analog |- |WHITE |8*9 |0xFF |Button is analog |- |LEFT_TRIGGER |8*10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER ||8*11 |0xFF |Trigger is analog |- |sThumbLX |8*12 |0xFFFF | |- |sThumbLY |8*14 |0xFFFF | |- |sThumbRX |8*16 |0xFFFF | |- |sThumbRY |8*18 |0xFFFF | |} === Xbox to Controller === 6 bytes <pre>left_actuator_strength = FIELD_MASK(2, 0xFFFF), right_actuator_strength = FIELD_MASK(4, 0xFFFF),</pre> == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> 932636b9788019fb11193d68bd708bd08298193c 5132 5131 2017-05-12T09:23:58Z JayFoxRox 2 Turned field enum into table wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (bits) !Mask (bits) !Notes |- |DPAD_UP |8*2 |1 << 0 | |- |DPAD_DOWN |8*2 |1 << 1 | |- |DPAD_LEFT |8*2 |1 << 2 | |- |DPAD_RIGHT |8*2 |1 << 3 | |- |START |8*2 |1 << 4 | |- |BACK |8*2 |1 << 5 | |- |LEFT_THUMB |8*2 |1 << 6 | |- |RIGHT_THUMB |8*2 |1 << 7 | |- |A |8*4 |0xFF |Button is analog |- |B |8*5 |0xFF |Button is analog |- |X |8*6 |0xFF |Button is analog |- |Y |8*7 |0xFF |Button is analog |- |BLACK |8*8 |0xFF |Button is analog |- |WHITE |8*9 |0xFF |Button is analog |- |LEFT_TRIGGER |8*10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER ||8*11 |0xFF |Trigger is analog |- |sThumbLX |8*12 |0xFFFF | |- |sThumbLY |8*14 |0xFFFF | |- |sThumbRX |8*16 |0xFFFF | |- |sThumbRY |8*18 |0xFFFF | |} === Xbox to Controller === 6 bytes (48 bit) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> c66351a273b256bbe94fc6ac9eda27251181c08c 5133 5132 2017-05-12T09:29:07Z JayFoxRox 2 Turned field enum into table (WIP: buttons are not confirmed and wrong order in list) wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |DPAD_UP |23 | |- |DPAD_DOWN |22 | |- |DPAD_LEFT |21 | |- |DPAD_RIGHT |20 | |- |START |19 | |- |BACK |18 | |- |LEFT_THUMB |17 | |- |RIGHT_THUMB |16 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes (48 bit) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> 5a69374cea21e0f38d34c7e0f79a1bbd0c6548bf 5134 5133 2017-05-12T09:29:25Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |DPAD_UP |23 | |- |DPAD_DOWN |22 | |- |DPAD_LEFT |21 | |- |DPAD_RIGHT |20 | |- |START |19 | |- |BACK |18 | |- |LEFT_THUMB |17 | |- |RIGHT_THUMB |16 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes (48 bits) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> 740f582323636863326cf91c9ff1fe41a147ac64 5135 5134 2017-05-12T09:29:37Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |DPAD_UP |23 | |- |DPAD_DOWN |22 | |- |DPAD_LEFT |21 | |- |DPAD_RIGHT |20 | |- |START |19 | |- |BACK |18 | |- |LEFT_THUMB |17 | |- |RIGHT_THUMB |16 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes (48 bits) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), AimingX = BUTTON_MASK( 9, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. AimingY = BUTTON_MASK(11, 0xFF), // Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. RotationLever = BUTTON_MASK(13, 0xFF), // Corresponds to the &quot;Rotation Lever&quot; joystick on the left. SightChangeX = BUTTON_MASK(15, 0xFF), // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. SightChangeY = BUTTON_MASK(17, 0xFF) // Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. LeftPedal = BUTTON_MASK(19, 0xFF), // Corresponds to the left pedal on the pedal block MiddlePedal = BUTTON_MASK(21, 0xFF), // Corresponds to the middle pedal on the pedal block RightPedal = BUTTON_MASK(23, 0xFF), // Corresponds to the right pedal on the pedal block TunerDial = BUTTON_MASK(24, 0x0F), // Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. // The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. GearLever = BUTTON_MASK(25, 0xFF), // Corresponds to the gear lever on the left block. </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> 974423401d83b384e4db3c284af9cdb25be533c3 5136 5135 2017-05-12T09:39:26Z JayFoxRox 2 Turned field enum into table (WIP) wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |DPAD_UP |23 | |- |DPAD_DOWN |22 | |- |DPAD_LEFT |21 | |- |DPAD_RIGHT |20 | |- |START |19 | |- |BACK |18 | |- |LEFT_THUMB |17 | |- |RIGHT_THUMB |16 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes (48 bits) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes (208 bits) {| class="wikitable" !Field !Bits !Notes |- |AimingX |72-79 (Maybe 72-87 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. |- |AimingY |88-95 (Maybe 88-103 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. |- |RotationLever |104-111 (Maybe 104-119 ?!) |Corresponds to the &quot;Rotation Lever&quot; joystick on the left. |- |SightChangeX |120-127 (Maybe 120-135 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. |- |SightChangeY |136-143 (Maybe 136-151 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. |- |LeftPedal |152-159 (Maybe 152-167 ?!) |Corresponds to the left pedal on the pedal block |- |MiddlePedal |168-175 (Maybe 168-192 ?!) |Corresponds to the middle pedal on the pedal block |- |RightPedal |184-191 |Corresponds to the right pedal on the pedal block |- |TunerDial |196-199 |Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- |GearLever |200-207 |Corresponds to the gear lever on the left block. |} <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> 112729c98984b768f762e7f6d9e64b6f6744a4cf 5137 5136 2017-05-12T09:40:44Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |DPAD_UP |23 | |- |DPAD_DOWN |22 | |- |DPAD_LEFT |21 | |- |DPAD_RIGHT |20 | |- |START |19 | |- |BACK |18 | |- |LEFT_THUMB |17 | |- |RIGHT_THUMB |16 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes (48 bits) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes (208 bits) {| class="wikitable" !Field !Bits !Notes |- |AimingX |72-79 (Maybe 72-87 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. |- |AimingY |88-95 (Maybe 88-103 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. |- |RotationLever |104-111 (Maybe 104-119 ?!) |Corresponds to the &quot;Rotation Lever&quot; joystick on the left. |- |SightChangeX |120-127 (Maybe 120-135 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. |- |SightChangeY |136-143 (Maybe 136-151 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. |- |LeftPedal |152-159 (Maybe 152-167 ?!) |Corresponds to the left pedal on the pedal block |- |MiddlePedal |168-175 (Maybe 168-192 ?!) |Corresponds to the middle pedal on the pedal block |- |RightPedal |184-191 |Corresponds to the right pedal on the pedal block |- | |192-195 | |- |TunerDial |196-199 |Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- |GearLever |200-207 |Corresponds to the gear lever on the left block. |} <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> a5de0801d268a8bc70b65469d44fc5ad25d4e3b6 5138 5137 2017-05-12T09:42:47Z JayFoxRox 2 Reordered + filled in the gap wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |RIGHT_THUMB |16 | |- |LEFT_THUMB |17 | |- |BACK |18 | |- |START |19 | |- |DPAD_RIGHT |20 | |- |DPAD_LEFT |21 | |- |DPAD_DOWN |22 | |- |DPAD_UP |23 | |- | |24-31 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes (48 bits) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes (208 bits) {| class="wikitable" !Field !Bits !Notes |- |AimingX |72-79 (Maybe 72-87 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. |- |AimingY |88-95 (Maybe 88-103 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. |- |RotationLever |104-111 (Maybe 104-119 ?!) |Corresponds to the &quot;Rotation Lever&quot; joystick on the left. |- |SightChangeX |120-127 (Maybe 120-135 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. |- |SightChangeY |136-143 (Maybe 136-151 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. |- |LeftPedal |152-159 (Maybe 152-167 ?!) |Corresponds to the left pedal on the pedal block |- |MiddlePedal |168-175 (Maybe 168-192 ?!) |Corresponds to the middle pedal on the pedal block |- |RightPedal |184-191 |Corresponds to the right pedal on the pedal block |- | |192-195 | |- |TunerDial |196-199 |Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- |GearLever |200-207 |Corresponds to the gear lever on the left block. |} <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), </pre> === Xbox to Controller === 34 bytes <pre> EmergencyEject = FIELD_MASK(2, 0x0F), CockpitHatch = FIELD_MASK(2, 0xF0), Ignition = FIELD_MASK(3, 0x0F), Start = FIELD_MASK(3, 0xF0), OpenClose = FIELD_MASK(4, 0x0F), MapZoomInOut = FIELD_MASK(4, 0xF0), ModeSelect = FIELD_MASK(5, 0x0F), SubMonitorModeSelect = FIELD_MASK(5, 0xF0), MainMonitorZoomIn = FIELD_MASK(6, 0x0F), MainMonitorZoomOut = FIELD_MASK(6, 0xF0), ForecastShootingSystem = FIELD_MASK(7, 0x0F), Manipulator = FIELD_MASK(7, 0xF0), LineColorChange = FIELD_MASK(8, 0x0F), Washing = FIELD_MASK(8, 0xF0), Extinguisher = FIELD_MASK(9, 0x0F), Chaff = FIELD_MASK(9, 0xF0), TankDetach = FIELD_MASK(10, 0x0F), Override = FIELD_MASK(10, 0xF0), NightScope = FIELD_MASK(11, 0x0F), F1 = FIELD_MASK(11, 0xF0), F2 = FIELD_MASK(12, 0x0F), F3 = FIELD_MASK(12, 0xF0), MainWeaponControl = FIELD_MASK(13, 0x0F), SubWeaponControl = FIELD_MASK(13, 0xF0), MagazineChange = FIELD_MASK(14, 0x0F), Comm1 = FIELD_MASK(14, 0xF0), Comm2 = FIELD_MASK(15, 0x0F), Comm3 = FIELD_MASK(15, 0xF0), Comm4 = FIELD_MASK(16, 0x0F), Comm5 = FIELD_MASK(16, 0xF0), GearR = FIELD_MASK(17, 0xF0), GearN = FIELD_MASK(18, 0x0F), Gear1 = FIELD_MASK(18, 0xF0), Gear2 = FIELD_MASK(19, 0x0F), Gear3 = FIELD_MASK(19, 0xF0), Gear4 = FIELD_MASK(20, 0x0F), Gear5 = FIELD_MASK(20, 0xF0),</pre> 72a41d2d95d52e0dd8f13a54f80cbd82b1ac028c 5139 5138 2017-05-12T09:52:20Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |RIGHT_THUMB |16 | |- |LEFT_THUMB |17 | |- |BACK |18 | |- |START |19 | |- |DPAD_RIGHT |20 | |- |DPAD_LEFT |21 | |- |DPAD_DOWN |22 | |- |DPAD_UP |23 | |- | |24-31 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes (48 bits) {| class="wikitable" !Field !Bits !Notes |- |Left actuator strength |16-31 | |- |Right actuator strength |32-47 | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes (208 bits) {| class="wikitable" !Field !Bits !Notes |- |AimingX |72-79 (Maybe 72-87 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. |- |AimingY |88-95 (Maybe 88-103 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. |- |RotationLever |104-111 (Maybe 104-119 ?!) |Corresponds to the &quot;Rotation Lever&quot; joystick on the left. |- |SightChangeX |120-127 (Maybe 120-135 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. |- |SightChangeY |136-143 (Maybe 136-151 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. |- |LeftPedal |152-159 (Maybe 152-167 ?!) |Corresponds to the left pedal on the pedal block |- |MiddlePedal |168-175 (Maybe 168-192 ?!) |Corresponds to the middle pedal on the pedal block |- |RightPedal |184-191 |Corresponds to the right pedal on the pedal block |- | |192-195 | |- |TunerDial |196-199 |Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- |GearLever |200-207 |Corresponds to the gear lever on the left block. |} <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), </pre> === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} fc1492517b7dcb797986360c60b186c753e8e1ff 5140 5139 2017-05-12T09:55:21Z JayFoxRox 2 Bytes / masks seem to make more sense for XID wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes (160 bits) {| class="wikitable" !Field !Bits !Notes |- |RIGHT_THUMB |16 | |- |LEFT_THUMB |17 | |- |BACK |18 | |- |START |19 | |- |DPAD_RIGHT |20 | |- |DPAD_LEFT |21 | |- |DPAD_DOWN |22 | |- |DPAD_UP |23 | |- | |24-31 | |- |A |32-39 |Button is analog |- |B |40-47 |Button is analog |- |X |48-55 |Button is analog |- |Y |56-63 |Button is analog |- |BLACK |64-71 |Button is analog |- |WHITE |72-79 |Button is analog |- |LEFT_TRIGGER |80-87 |Trigger is analog |- |RIGHT_TRIGGER |88-95 |Trigger is analog |- |sThumbLX |96-111 | |- |sThumbLY |112-127 | |- |sThumbRX |128-143 | |- |sThumbRY |144-159 | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes (208 bits) {| class="wikitable" !Field !Bits !Notes |- |AimingX |72-79 (Maybe 72-87 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. |- |AimingY |88-95 (Maybe 88-103 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. |- |RotationLever |104-111 (Maybe 104-119 ?!) |Corresponds to the &quot;Rotation Lever&quot; joystick on the left. |- |SightChangeX |120-127 (Maybe 120-135 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. |- |SightChangeY |136-143 (Maybe 136-151 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. |- |LeftPedal |152-159 (Maybe 152-167 ?!) |Corresponds to the left pedal on the pedal block |- |MiddlePedal |168-175 (Maybe 168-192 ?!) |Corresponds to the middle pedal on the pedal block |- |RightPedal |184-191 |Corresponds to the right pedal on the pedal block |- | |192-195 | |- |TunerDial |196-199 |Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- |GearLever |200-207 |Corresponds to the gear lever on the left block. |} <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), </pre> === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 153f959954e6674083aa826628f7aa80ea3116c0 5141 5140 2017-05-12T10:02:14Z JayFoxRox 2 Reverted to byte offset + mask wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |1 << 0 | |- |DPAD_DOWN |2 |1 << 1 | |- |DPAD_LEFT |2 |1 << 2 | |- |DPAD_RIGHT |2 |1 << 3 | |- |START |2 |1 << 4 | |- |BACK |2 |1 << 5 | |- |LEFT_THUMB |2 |1 << 6 | |- |RIGHT_THUMB |2 |1 << 7 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes (208 bits) {| class="wikitable" !Field !Bits !Notes |- |AimingX |72-79 (Maybe 72-87 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. |- |AimingY |88-95 (Maybe 88-103 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. |- |RotationLever |104-111 (Maybe 104-119 ?!) |Corresponds to the &quot;Rotation Lever&quot; joystick on the left. |- |SightChangeX |120-127 (Maybe 120-135 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. |- |SightChangeY |136-143 (Maybe 136-151 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. |- |LeftPedal |152-159 (Maybe 152-167 ?!) |Corresponds to the left pedal on the pedal block |- |MiddlePedal |168-175 (Maybe 168-192 ?!) |Corresponds to the middle pedal on the pedal block |- |RightPedal |184-191 |Corresponds to the right pedal on the pedal block |- | |192-195 | |- |TunerDial |196-199 |Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- |GearLever |200-207 |Corresponds to the gear lever on the left block. |} <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), </pre> === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 6bd2c2f37d0c7b6d19bc23043ac55caffc5ac443 5142 5141 2017-05-12T10:02:31Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |1 << 0 | |- |DPAD_DOWN |2 |1 << 1 | |- |DPAD_LEFT |2 |1 << 2 | |- |DPAD_RIGHT |2 |1 << 3 | |- |START |2 |1 << 4 | |- |BACK |2 |1 << 5 | |- |LEFT_THUMB |2 |1 << 6 | |- |RIGHT_THUMB |2 |1 << 7 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes (208 bits) {| class="wikitable" !Field !Bits !Notes |- |AimingX |72-79 (Maybe 72-87 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. X Axis value. |- |AimingY |88-95 (Maybe 88-103 ?!) |Corresponds to the &quot;Aiming Lever&quot; joystick on the right. Y Axis value. |- |RotationLever |104-111 (Maybe 104-119 ?!) |Corresponds to the &quot;Rotation Lever&quot; joystick on the left. |- |SightChangeX |120-127 (Maybe 120-135 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. X Axis value. |- |SightChangeY |136-143 (Maybe 136-151 ?!) |Corresponds to the &quot;Sight Change&quot; analog stick on the &quot;Rotation Lever&quot; joystick. Y Axis value. |- |LeftPedal |152-159 (Maybe 152-167 ?!) |Corresponds to the left pedal on the pedal block |- |MiddlePedal |168-175 (Maybe 168-192 ?!) |Corresponds to the middle pedal on the pedal block |- |RightPedal |184-191 |Corresponds to the right pedal on the pedal block |- | |192-195 | |- |TunerDial |196-199 |Corresponds to the tuner dial position. The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- |GearLever |200-207 |Corresponds to the gear lever on the left block. |} <pre>// Based on http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs // See http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/lgpl-3.0.txt RightJoyMainWeapon = BUTTON_MASK( 2, 0x01), RightJoyFire = BUTTON_MASK( 2, 0x03), //FIXME: WTF?! RightJoyLockOn = BUTTON_MASK( 2, 0x04), CockpitHatch = BUTTON_MASK( 2, 0x10), Ignition = BUTTON_MASK( 2, 0x20), Start = BUTTON_MASK( 2, 0x40), Eject = BUTTON_MASK( 2, 0x08), MultiMonOpenClose = BUTTON_MASK( 2, 0x80), MultiMonMapZoomInOut = BUTTON_MASK( 3, 0x01), MultiMonModeSelect = BUTTON_MASK( 3, 0x02), MultiMonSubMonitor = BUTTON_MASK( 3, 0x04), MainMonZoomIn = BUTTON_MASK( 3, 0x08), MainMonZoomOut = BUTTON_MASK( 3, 0x10), FunctionFSS = BUTTON_MASK( 3, 0x20), FunctionManipulator = BUTTON_MASK( 3, 0x40), FunctionLineColorChange = BUTTON_MASK( 3, 0x80), Washing = BUTTON_MASK( 4, 0x01), Extinguisher = BUTTON_MASK( 4, 0x02), Chaff = BUTTON_MASK( 4, 0x04), FunctionTankDetach = BUTTON_MASK( 4, 0x08), FunctionOverride = BUTTON_MASK( 4, 0x10), FunctionNightScope = BUTTON_MASK( 4, 0x20), FunctionF1 = BUTTON_MASK( 4, 0x40), FunctionF2 = BUTTON_MASK( 4, 0x80), FunctionF3 = BUTTON_MASK( 5, 0x01), WeaponConMain = BUTTON_MASK( 5, 0x02), WeaponConSub = BUTTON_MASK( 5, 0x04), WeaponConMagazine = BUTTON_MASK( 5, 0x08), Comm1 = BUTTON_MASK( 5, 0x10), Comm2 = BUTTON_MASK( 5, 0x20), Comm3 = BUTTON_MASK( 5, 0x40), Comm4 = BUTTON_MASK( 5, 0x80), Comm5 = BUTTON_MASK( 6, 0x01), LeftJoySightChange = BUTTON_MASK( 6, 0x02), ToggleFilterControl = BUTTON_MASK( 6, 0x04), ToggleOxygenSupply = BUTTON_MASK( 6, 0x08), ToggleFuelFlowRate = BUTTON_MASK( 6, 0x10), ToggleBuffreMaterial = BUTTON_MASK( 6, 0x20), ToggleVTLocation = BUTTON_MASK( 6, 0x40), </pre> === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 7fe2e5c26484705f1edbf779b0d87cd38fd64fc5 5143 5142 2017-05-12T10:11:34Z JayFoxRox 2 Reverted and improved to byte offset + mask wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |1 << 0 | |- |DPAD_DOWN |2 |1 << 1 | |- |DPAD_LEFT |2 |1 << 2 | |- |DPAD_RIGHT |2 |1 << 3 | |- |START |2 |1 << 4 | |- |BACK |2 |1 << 5 | |- |LEFT_THUMB |2 |1 << 6 | |- |RIGHT_THUMB |2 |1 << 7 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |Eject |2 |0x08 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- |AimingX |9 |0xFF |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF | |- |MiddlePedal |21 |0xFF | |- |RightPedal |23 |0xFF | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 6bb9e241c87545a5c5d0daae757fd89af04f1a27 5144 5143 2017-05-12T10:11:51Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |1 << 0 | |- |DPAD_DOWN |2 |1 << 1 | |- |DPAD_LEFT |2 |1 << 2 | |- |DPAD_RIGHT |2 |1 << 3 | |- |START |2 |1 << 4 | |- |BACK |2 |1 << 5 | |- |LEFT_THUMB |2 |1 << 6 | |- |RIGHT_THUMB |2 |1 << 7 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |Eject |2 |0x08 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- |AimingX |9 |0xFF |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF | |- |MiddlePedal |21 |0xFF | |- |RightPedal |23 |0xFF | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} c49fe972b82447d72fc33c37bb38001e545608cb 5145 5144 2017-05-12T10:16:28Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |1 << 0 | |- |DPAD_DOWN |2 |1 << 1 | |- |DPAD_LEFT |2 |1 << 2 | |- |DPAD_RIGHT |2 |1 << 3 | |- |START |2 |1 << 4 | |- |BACK |2 |1 << 5 | |- |LEFT_THUMB |2 |1 << 6 | |- |RIGHT_THUMB |2 |1 << 7 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19, maybe 0xFFFF at offset 18? |0xFF | |- |MiddlePedal |21, maybe 0xFFFF at offset 20? |0xFF | |- |RightPedal |23, maybe 0xFFFF at offset 22? |0xFF | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 8a2376964158bf68850c89ed166eb7eb71413915 5146 5145 2017-05-12T10:17:39Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |1 << 0 | |- |DPAD_DOWN |2 |1 << 1 | |- |DPAD_LEFT |2 |1 << 2 | |- |DPAD_RIGHT |2 |1 << 3 | |- |START |2 |1 << 4 | |- |BACK |2 |1 << 5 | |- |LEFT_THUMB |2 |1 << 6 | |- |RIGHT_THUMB |2 |1 << 7 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 2711c3e6829614bcc8803cddb65c54c5b7af3435 5147 5146 2017-05-12T10:18:21Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 18a202f6afba66698f3929eaff478c277b63bbf9 5148 5147 2017-05-12T10:29:30Z JayFoxRox 2 Re-Added source wikitext text/x-wiki == XID Overview == XIDs are USB devices. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} d3b418e21730a926b79b7ed3ae597602be1b5b01 5164 5148 2017-05-12T18:27:13Z JayFoxRox 2 /* XID Overview */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} f3a237ac36730e1f0ff4f61fd88c5ba9f1a254fc 0 3689 5120 5111 2017-05-12T00:21:30Z Furon 2477 /* Remote Debugging and Control Protocol */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Each code has a default message, but some commands use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- ready for binary data : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; 205- dedicated : The connection has been moved to a dedicated processing thread. ====4xx Failure==== TODO ===Authentication=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 71dd5f2dd5e21bd46aa13b08d7858bd5852a76fa 0 3692 5149 5114 2017-05-12T12:55:00Z Wayo 2479 wikitext text/x-wiki == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == === Matchmaking servers === === Game servers === === Kerberos === Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] 6cf38444325da67aff77114c773ce5d7f37a91c4 5150 5149 2017-05-12T13:07:59Z Wayo 2479 wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == === Matchmaking servers === === Game servers === === Kerberos === Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] f1a2a51ff90462f6922d614b12534894cbf02c0e 5151 5150 2017-05-12T13:34:12Z Wayo 2479 /* Kerberos */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] 35b8b22f3e41b7e6fb8791e0ac7d9c2163336279 0 3695 5153 2017-05-12T17:37:48Z JayFoxRox 2 Created page with "xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes. == Compatiblity list == {{:XQEMU/Compatibility List}}" wikitext text/x-wiki xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes. == Compatiblity list == {{:XQEMU/Compatibility List}} 7242b1a57dbd101c14154a259ee538de7c5db68d 5155 5153 2017-05-12T17:39:12Z JayFoxRox 2 wikitext text/x-wiki xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes. The official homepage can be found at [http://xqemu.com xqemu.com] == Compatiblity list == {{:XQEMU/Compatibility List}} fccdba639b6b3d0829d8e0968c8441dc9f208a82 5163 5155 2017-05-12T18:06:46Z JayFoxRox 2 /* Compatiblity list */ wikitext text/x-wiki xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes. The official homepage can be found at [http://xqemu.com xqemu.com] == Compatiblity list == The following list was almost entirely created by [https://www.youtube.com/user/pcmaker2 pcmaker (also known as John Godgames)] around 2015. Meaning of the status fields: {| class="wikitable" !Status !Meaning |- |Nothing |Not showing anything due to error |- |Intro |Shows something as Intro / Menu |- |Ingame |Ingame (Graphical bugs) |- |Playable* |Partially playable or expected to be fully playable but not tested completly yet |- |Playable |Partially playable / Fully playable |} {{:XQEMU/Compatibility List}} 0b48a58edac8bffb5dc89bfec4fb3059593c17be 0 1 5154 5081 2017-05-12T17:38:29Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [http://cxbx-reloaded.co.uk Cxbx-Reloaded] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] be9b7da550e3e7c5964fcb83056da8cc74f0149e 5157 5154 2017-05-12T17:49:53Z JayFoxRox 2 Added link for cxbx-r wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [http://www.caustik.com/cxbx/ cxbx] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] eafcc4e75e0f50a71756b2845e8f66777ff70972 5161 5157 2017-05-12T17:57:31Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 061071d5d2d589410a1eebf8e84f9d330fb30834 5162 5161 2017-05-12T17:59:14Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * Official Xbox backwards compatibility in Xbox 360 Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] bd28527e7c1ee140ea39557c07d59394aabfccf0 0 3 5156 5051 2017-05-12T17:44:43Z JayFoxRox 2 wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Matt Borgerson about the Xbox bootrom] * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] About emulation * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 8d402e08c9670938f931339576817925c3d203e0 0 3696 5158 2017-05-12T17:51:04Z JayFoxRox 2 Created page with "Cxbx-Reloaded is a hybrid LLE / HLE Xbox emulation project started by [[User:SoullessSentinel|]] on April 1st, 2016. It is based on [[Cxbx]]. Its website is can be found at [..." wikitext text/x-wiki Cxbx-Reloaded is a hybrid LLE / HLE Xbox emulation project started by [[User:SoullessSentinel|SoullessSentinel]] on April 1st, 2016. It is based on [[Cxbx]]. Its website is can be found at [http://cxbx-reloaded.co.uk cxbx-reloaded.co.uk]. d27a5f89f6145489572ab344687f7a45c72dd186 0 3697 5159 2017-05-12T17:56:54Z JayFoxRox 2 Created page with "Cxbx was a HLE Xbox emulation project started by Caustik around 2002. The name is an abreviation for "Caustiks Xbox". Its official website can be found on http://www.causti..." wikitext text/x-wiki Cxbx was a HLE Xbox emulation project started by Caustik around 2002. The name is an abreviation for "Caustiks Xbox". Its official website can be found on [[http://www.caustik.com/cxbx/ Caustiks Cxbx page]] 95e22afe9c2595c85851631f54f49025f1e37f6b 5160 5159 2017-05-12T17:57:07Z JayFoxRox 2 wikitext text/x-wiki Cxbx was a HLE Xbox emulation project started by Caustik around 2002. The name is an abreviation for "Caustiks Xbox". Its official website can be found on [http://www.caustik.com/cxbx/ Caustiks Cxbx page] 191ab78e6c76bceb21b62dd8304839376bd614de 0 4 5165 5106 2017-05-12T18:57:20Z JayFoxRox 2 /* Renderware */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" style="width:100%; font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* f0522731a57ac016d8f6b0711ceef346c8ae7ada 5166 5165 2017-05-12T18:57:56Z JayFoxRox 2 wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" style="width:100%; font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 16bf8f40e1a6a4103882a1964da9b0f0b65f95b2 5167 5166 2017-05-12T18:58:12Z JayFoxRox 2 /* Unreal Engine 1 */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" style="width:100%; font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" style="width:100%; font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 1e3587edf10dc7edbb62f145105cec7c5cea2cec 5168 5167 2017-05-12T18:58:19Z JayFoxRox 2 /* Unreal Engine 2 */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" style="width:100%; font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" style="width:100%; font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" style="width:100%; font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" style="width:100%; font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 3179381dc7d60a1296ad75777b568e96786d9ece 1 3698 5170 2017-05-13T15:59:13Z Codeasm 2480 Created page with "== Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394" wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 75b4312dfaf7f78500dd9c71ac1f6bfed3faf50c 5198 5170 2017-05-14T15:05:21Z JayFoxRox 2 wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 == Turn lists into a table? == This article has various lists / sections which all mention the same list of bioses. I believe we should instead transform it into a table / tables and possibly leave fields blank if we don't know something. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 14 May 2017 (PDT) 96af933ffefbbf8aac9244eb7e2a9bd3bba7607a 5199 5198 2017-05-14T15:06:12Z Codeasm 2480 /* Typo in the know Bios versions */ wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:06, 14 May 2017 (PDT) == Turn lists into a table? == This article has various lists / sections which all mention the same list of bioses. I believe we should instead transform it into a table / tables and possibly leave fields blank if we don't know something. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 14 May 2017 (PDT) 4fcda9880897832450a9cb47a5f4652b61493cba 5203 5199 2017-05-14T19:23:58Z Eighthpence 2472 /* Typo in the know Bios versions */ wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:06, 14 May 2017 (PDT) They are now changed --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:23, 14 May 2017 (PDT) == Turn lists into a table? == This article has various lists / sections which all mention the same list of bioses. I believe we should instead transform it into a table / tables and possibly leave fields blank if we don't know something. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 14 May 2017 (PDT) 2a74eb635241853872aa7e1059b1887a1edeb897 5205 5203 2017-05-14T19:40:46Z Eighthpence 2472 /* Turn lists into a table? */ wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:06, 14 May 2017 (PDT) They are now changed --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:23, 14 May 2017 (PDT) == Turn lists into a table? == This article has various lists / sections which all mention the same list of bioses. I believe we should instead transform it into a table / tables and possibly leave fields blank if we don't know something. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 14 May 2017 (PDT) I've added a table. It needs improving but it is a start. --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:40, 14 May 2017 (PDT) c4cb99a34893a0b07b4faa50a0cab9a0092596de 0 3672 5171 5022 2017-05-13T16:09:26Z Codeasm 2480 /* Copyright String */ typo? wikitext text/x-wiki The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sense. First, the 1MB BIOS is actually 256KB of data repeated 4 times. So, if you do: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa (type? maybe 3966?) * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 9618fafa9422fdb2e5bfa7d552766c4a793c4b44 5178 5171 2017-05-13T22:40:29Z Furon 2477 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa (type? maybe 3966?) * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 76fe7c7085e407627d047e2584b7d4cc03553550 5195 5178 2017-05-14T14:55:41Z Codeasm 2480 /* Copyright String */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 2178f518a350a3e184eb3c766df1050e8aeb3856 5196 5195 2017-05-14T15:03:38Z Codeasm 2480 Undo revision 5195 by [[Special:Contributions/Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa (type? maybe 3966?) * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 76fe7c7085e407627d047e2584b7d4cc03553550 5197 5196 2017-05-14T15:03:52Z Codeasm 2480 Undo revision 5171 by [[Special:Contributions/Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3394 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 2178f518a350a3e184eb3c766df1050e8aeb3856 5201 5197 2017-05-14T19:22:44Z Eighthpence 2472 /* Copyright String */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3944 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3394 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] f266e456d009e39acc55f3c3c0750d120416f259 5202 5201 2017-05-14T19:23:03Z Eighthpence 2472 /* Known Retail BIOSs */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3944 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3944 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 34fac72fe400daa7a0a66c1850c6d650d8b749e4 5204 5202 2017-05-14T19:39:33Z Eighthpence 2472 /* Components */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| ! Memory Type ! 3944 ! 4034 ! 4134 ! 4817 ! 5101 ! 5530 ! 5713 ! 5838 |- | Unknown | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 |- | X-Codes | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 |- | Copyright String | 0x00cfa | 0x00cfa | 0x00cfa | 0x00db9 | 0x00e49 | 0x00e59 | 0x00e59 | 0x00dcc |- | Kernel | | | | | | | | |- | Kernel Data Segment | | | | | | | | |- | 2BL | 0x039E00 | 0x039E00 | 0x039E00 | | | | | |- | Decoy Boot Loader | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3944 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3944 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 6a982aa967f953cab4b832dcd3b4e227ea29f358 5207 5204 2017-05-14T19:59:00Z JayFoxRox 2 table is wikitable now + header fields on the left wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 ! 4034 ! 4134 ! 4817 ! 5101 ! 5530 ! 5713 ! 5838 |- ! Unknown | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 |- ! X-Codes | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 |- ! Copyright String | 0x00cfa | 0x00cfa | 0x00cfa | 0x00db9 | 0x00e49 | 0x00e59 | 0x00e59 | 0x00dcc |- ! Kernel | | | | | | | | |- ! Kernel Data Segment | | | | | | | | |- ! 2BL | 0x039E00 | 0x039E00 | 0x039E00 | | | | | |- ! Decoy Boot Loader | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === 57 bytes long with the following start positions: * 3944 - 0xcfa * 4034 - 0xcfa * 4134 - 0xcfa * 4817 - 0xdb9 * 5101 - 0xe49 * 5530 - 0xe59 * 5713 - 0xe59 * 5838 - 0xdcc Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.". === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3944 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 3bf64a3da773cbca1761b5c1432a59b741fee7eb 5208 5207 2017-05-14T20:01:00Z JayFoxRox 2 /* Copyright String */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 ! 4034 ! 4134 ! 4817 ! 5101 ! 5530 ! 5713 ! 5838 |- ! Unknown | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 |- ! X-Codes | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 |- ! Copyright String | 0x00cfa | 0x00cfa | 0x00cfa | 0x00db9 | 0x00e49 | 0x00e59 | 0x00e59 | 0x00dcc |- ! Kernel | | | | | | | | |- ! Kernel Data Segment | | | | | | | | |- ! 2BL | 0x039E00 | 0x039E00 | 0x039E00 | | | | | |- ! Decoy Boot Loader | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3944 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 6f6d7fd20739de74c09c01b52732f1cd247e8046 5219 5208 2017-05-15T13:27:39Z Eighthpence 2472 /* Components */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3944 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] 8964d91fcf5c32fe08dc9e29f348a3cc947de979 0 3689 5172 5120 2017-05-13T19:45:46Z Furon 2477 /* Remote Debugging and Control Protocol */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Each code has a default message, but some commands use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- ready for binary data : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; 205- connection dedicated : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; 400- unexpected error : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; 401- max number of connections exceeded : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; 402- file not found : An operation was attempted on a file that does not exist. ; 403- no such module : An operation was attempted on a module that does not exist. ; 404- memory not mapped : An operation was attempted on a region of memory that is not mapped in the page table. ; 405- no such thread : An operation was attempted on a thread that does not exist. ; 407- unknown command : The command is not recognized. ; 408- not stopped : The target thread is not stopped. ; 409- file must be copied : A move operation was attempted on a file that can only be copied. ; 410- file already exists : A file could not be created or moved because one already exists with the same name. ; 411- directory not empty : A directory could not be deleted because it still contains files and/or directories. ; 412- filename is invalid : The specified file contains invalid characters or is too long. ; 413- file cannot be created : The file cannot be created for some unspecified reason. ; 414- access denied : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; 415- no room on device : The target device has run out of storage space. ; 416- not debuggable : The title is not debuggable. ; 417- type invalid : The performance counter type is invalid. ; 418- data not available : The performance counter data is not available. ===Connection dedication=== TODO ===Security=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. a3eac43f171d3ed759aadbb8d767c85e0ec49dcf 5176 5172 2017-05-13T21:54:26Z Furon 2477 /* 2xx Success */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Each code has a default message, but some commands use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- ready for binary data : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; 205- connection dedicated : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ; 207- fast cap enabled : Fast call-attribute profiling has been enabled. This status code is defined by XBDM, but does not appear to be used. It may have been a planned feature that was never implemented or left over from pre-release versions of XBDM. ====4xx Failure==== ; 400- unexpected error : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; 401- max number of connections exceeded : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; 402- file not found : An operation was attempted on a file that does not exist. ; 403- no such module : An operation was attempted on a module that does not exist. ; 404- memory not mapped : An operation was attempted on a region of memory that is not mapped in the page table. ; 405- no such thread : An operation was attempted on a thread that does not exist. ; 407- unknown command : The command is not recognized. ; 408- not stopped : The target thread is not stopped. ; 409- file must be copied : A move operation was attempted on a file that can only be copied. ; 410- file already exists : A file could not be created or moved because one already exists with the same name. ; 411- directory not empty : A directory could not be deleted because it still contains files and/or directories. ; 412- filename is invalid : The specified file contains invalid characters or is too long. ; 413- file cannot be created : The file cannot be created for some unspecified reason. ; 414- access denied : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; 415- no room on device : The target device has run out of storage space. ; 416- not debuggable : The title is not debuggable. ; 417- type invalid : The performance counter type is invalid. ; 418- data not available : The performance counter data is not available. ===Connection dedication=== TODO ===Security=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 54dacf4b59084e2d4f825236010c1da3f060a499 5179 5176 2017-05-14T00:56:17Z Furon 2477 /* Connection dedication */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Each code has a default message, but some commands use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- ready for binary data : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; 205- connection dedicated : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ; 207- fast cap enabled : Fast call-attribute profiling has been enabled. This status code is defined by XBDM, but does not appear to be used. It may have been a planned feature that was never implemented or left over from pre-release versions of XBDM. ====4xx Failure==== ; 400- unexpected error : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; 401- max number of connections exceeded : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; 402- file not found : An operation was attempted on a file that does not exist. ; 403- no such module : An operation was attempted on a module that does not exist. ; 404- memory not mapped : An operation was attempted on a region of memory that is not mapped in the page table. ; 405- no such thread : An operation was attempted on a thread that does not exist. ; 407- unknown command : The command is not recognized. ; 408- not stopped : The target thread is not stopped. ; 409- file must be copied : A move operation was attempted on a file that can only be copied. ; 410- file already exists : A file could not be created or moved because one already exists with the same name. ; 411- directory not empty : A directory could not be deleted because it still contains files and/or directories. ; 412- filename is invalid : The specified file contains invalid characters or is too long. ; 413- file cannot be created : The file cannot be created for some unspecified reason. ; 414- access denied : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; 415- no room on device : The target device has run out of storage space. ; 416- not debuggable : The title is not debuggable. ; 417- type invalid : The performance counter type is invalid. ; 418- data not available : The performance counter data is not available. ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 7dbfc6a7bfaa8ed7246ff94c4d07fd544b197c63 5180 5179 2017-05-14T01:18:36Z Furon 2477 /* Status codes */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; 200- OK : Standard response for successful execution of a command. ; 201- connected : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; 202- multiline response follows : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; 203- binary response follows : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; 204- send binary data : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; 205- connection dedicated : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; 400- unexpected error : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; 401- max number of connections exceeded : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; 402- file not found : An operation was attempted on a file that does not exist. ; 403- no such module : An operation was attempted on a module that does not exist. ; 404- memory not mapped : An operation was attempted on a region of memory that is not mapped in the page table. ; 405- no such thread : An operation was attempted on a thread that does not exist. ; 406- : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; 407- unknown command : The command is not recognized. ; 408- not stopped : The target thread is not stopped. ; 409- file must be copied : A move operation was attempted on a file that can only be copied. ; 410- file already exists : A file could not be created or moved because one already exists with the same name. ; 411- directory not empty : A directory could not be deleted because it still contains files and/or directories. ; 412- filename is invalid : The specified file contains invalid characters or is too long. ; 413- file cannot be created : The file cannot be created for some unspecified reason. ; 414- access denied : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; 415- no room on device : The target device has run out of storage space. ; 416- not debuggable : The title is not debuggable. ; 417- type invalid : The performance counter type is invalid. ; 418- data not available : The performance counter data is not available. ; 420- box not locked : The command can only be executed when security is enabled (see [[#Security]]). ; 421- key exchange required : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; 422- dedicated connection required : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 0eb2b73513b541d9836302676fe715c9a017360a 5181 5180 2017-05-14T03:58:44Z Furon 2477 /* Status codes */ Add status code anchors wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address (forward lookup), resolve an IP address to a debug name (reverse lookup), and discover all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. cdb6e8b78f03e0a2b91ff18ae9e7aa67ffa74c77 5200 5181 2017-05-14T15:06:26Z Furon 2477 /* Name Answering Protocol */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. 5252366bc3f2b3a1b2206da60352fa8a25b9ddf4 2 3699 5173 2017-05-13T21:38:41Z Furon 2477 Created page with "I enjoy documenting Xbox internals and creating open source tools that ease development of emulators and homebrew Xbox software on non-Windows platforms. ==Contact== * '''[h..." wikitext text/x-wiki I enjoy documenting Xbox internals and creating open source tools that ease development of emulators and homebrew Xbox software on non-Windows platforms. ==Contact== * '''[https://github.com/docbrown docbrown]''' on GitHub * '''furon''' on FreeNode (usually in #qemu, #xenia, and #go-nuts) * furon at protonmail dot com b97a2a9e2018bef94912453d7da7261a78f414c5 5174 5173 2017-05-13T21:39:51Z Furon 2477 wikitext text/x-wiki I enjoy documenting Xbox internals and creating open source tools that ease development of emulators and homebrew Xbox software on non-Windows platforms. * '''[https://github.com/docbrown docbrown]''' on GitHub * '''furon''' on FreeNode (usually in #qemu, #xenia, and #go-nuts) * furon at protonmail dot com d9ee2aec65626cb84ca8ee2b2a08ff1bc673a9ba 5175 5174 2017-05-13T21:40:25Z Furon 2477 wikitext text/x-wiki I enjoy documenting Xbox internals and creating open source tools that ease development of emulators and homebrew Xbox software on non-Windows platforms. * '''[https://github.com/docbrown docbrown]''' on GitHub * '''furon''' on FreeNode (usually in #xqemu, #xenia, and #go-nuts) * furon at protonmail dot com 2c1e78cc5b366bfbcad3d473afab4d313d7f6bdc 0 1 5177 5162 2017-05-13T22:15:10Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * Official Xbox backwards compatibility in Xbox 360 Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 1d7f1e5d48679aba842384d2379ec3c1d44be079 5185 5177 2017-05-14T07:24:25Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://www.emulator-zone.com/doc.php/xbox/xeon.html Xeon (no known official homepage)] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * [[Xbox 360 Backward Compatibility]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 4c3e3363c0ac00257f1af2c74137f5013e95c487 5186 5185 2017-05-14T12:46:10Z JayFoxRox 2 Added more emulators from http://ngemu.com/threads/.155472/ wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/impeachgod/Dirtbox Dirtbox] * [https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] * [https://github.com/daeken/Steelbreeze Steelbreeze] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://ngemu.com/threads/.154342/ XbeNext] * [http://ngemu.com/forums/.65/ Xeon] * [http://ngemu.com/threads/.105210 XProject] * [https://code.google.com/p/xbem xbem] * [http://ngemu.com/threads/hackbox.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * [[Xbox 360 Backward Compatibility]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] bc8b05188a82283ccde410cad9f0fd9cdbcf5473 5187 5186 2017-05-14T12:46:42Z JayFoxRox 2 Fix links wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro Pictures]] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/impeachgod/Dirtbox Dirtbox] * [https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] * [https://github.com/daeken/Steelbreeze Steelbreeze] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://ngemu.com/threads/.154342/ XbeNext] * [http://ngemu.com/forums/.65/ Xeon] * [http://ngemu.com/threads/.105210/ XProject] * [https://code.google.com/p/xbem xbem] * [http://ngemu.com/threads/.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * [[Xbox 360 Backward Compatibility]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 570fe49ea4ed4153ca7daa0ded3d9a3fa2e03a9e 5210 5187 2017-05-14T20:05:30Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/impeachgod/Dirtbox Dirtbox] * [https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] * [https://github.com/daeken/Steelbreeze Steelbreeze] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://ngemu.com/threads/.154342/ XbeNext] * [http://ngemu.com/forums/.65/ Xeon] * [http://ngemu.com/threads/.105210/ XProject] * [https://code.google.com/p/xbem xbem] * [http://ngemu.com/threads/.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * [[Xbox 360 Backward Compatibility]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] d246696b37fe4fe80491805203aa6809ed7c4978 5212 5210 2017-05-15T09:15:12Z JayFoxRox 2 Added more github emu trash wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/impeachgod/Dirtbox Dirtbox] * [https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] * [https://github.com/daeken/Steelbreeze Steelbreeze] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://ngemu.com/threads/.154342/ XbeNext] * [http://ngemu.com/forums/.65/ Xeon] * [http://ngemu.com/threads/.105210/ XProject] * [https://code.google.com/p/xbem xbem] * [http://ngemu.com/threads/.146461/ Hackbox] * [https://github.com/phire/kvmbox kvmbox] * [https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] * [https://github.com/bjh83/boombox boombox] * [https://github.com/docbrown/vxb vxb] * [https://github.com/quantumdude836/exciplex exciplex] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * [[Xbox 360 Backward Compatibility]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] f25d2d09058ee6fc10805cd0a64e6101f72f6eec 5213 5212 2017-05-15T09:17:59Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation / Emulators * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/impeachgod/Dirtbox Dirtbox] * [https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] * [https://github.com/daeken/Steelbreeze Steelbreeze] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://ngemu.com/threads/.154342/ XbeNext] * [http://ngemu.com/forums/.65/ Xeon] * [http://ngemu.com/threads/.105210/ XProject] * [https://code.google.com/p/xbem xbem] * [[Hackbox]] * [https://github.com/phire/kvmbox kvmbox] * [https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] * [https://github.com/bjh83/boombox boombox] * [https://github.com/docbrown/vxb vxb] * [https://github.com/quantumdude836/exciplex exciplex] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * [[Xbox 360 Backward Compatibility]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] f9906d8a251c9b3471fa3462d04e69b1c2f54842 5214 5213 2017-05-15T09:19:53Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] [[Emulators]] * [[XQEMU]] * [[Cxbx-Reloaded]] * [[Cxbx]] * [http://dxbx-emu.com Dxbx] * [https://github.com/impeachgod/Dirtbox Dirtbox] * [https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] * [https://github.com/daeken/Steelbreeze Steelbreeze] * [https://github.com/daeken/Zookeeper Zookeeper] * [http://ngemu.com/threads/.154342/ XbeNext] * [http://ngemu.com/forums/.65/ Xeon] * [http://ngemu.com/threads/.105210/ XProject] * [https://code.google.com/p/xbem xbem] * [[Hackbox]] * [https://github.com/phire/kvmbox kvmbox] * [https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] * [https://github.com/bjh83/boombox boombox] * [https://github.com/docbrown/vxb vxb] * [https://github.com/quantumdude836/exciplex exciplex] * [http://mamedev.org/ MAME/Chihiro] * [http://mamedev.org/ MAME/Xbox] * [https://github.com/monocasa/xbvm XBVM] * [http://xenoborg-emu.blogspot.com/ Xenoborg] * [[Xbox 360 Backward Compatibility]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 95c82d9cc0819c44219bfc0d2c2cc1924178d99e 5216 5214 2017-05-15T09:44:05Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] * [[Xbox Game Disc]] * [[Xbox Debug Monitor]] * [[Xbox Input Devices]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation * [[Emulators]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 8d253c86ce5d8911af3a3b8a09567e9a83dd4150 0 3700 5182 2017-05-14T07:11:59Z JayFoxRox 2 Created page with "Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == References and links == * [https://web.archive.org/web/20150616131202/http://dark...." wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] 66bec00353746f04e111988d0f588abfcbe48afb 5206 5182 2017-05-14T19:54:53Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] 0d6d1fd457715405d4319a36ceaf22767d809fd8 0 3701 5183 2017-05-14T07:22:31Z JayFoxRox 2 Created page with "Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-con..." wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] 009fc46655027cfcdaec22174021787c9012d497 0 3 5184 5156 2017-05-14T07:22:50Z JayFoxRox 2 Moved some resources to new page wikitext text/x-wiki Random resources about xbox hacking * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Matt Borgerson about the Xbox bootrom] * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] About emulation * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 88bc34e7193da50767f30ab9d787d91a0c9d07ca 0 3697 5188 5160 2017-05-14T13:14:36Z JayFoxRox 2 wikitext text/x-wiki Cxbx was a HLE Xbox emulation project started by Caustik around 2002. The name is an abreviation for "Caustiks Xbox". Its official website can be found on [http://www.caustik.com/cxbx/ Caustiks Cxbx page] == CXBX kingofc's dev version == The website for this fork can be found at [http://www.caustik.com/kingofc/] It focused on partial LLE. == Blueshogun's Cxbx == The website for this fork is [http://shogun3d-cxbx.blogspot.de/ blueshoguns blog] == Cxbx-Reloaded == [[Cxbx-Reloaded|This fork has it's own article]] d5b872821a7a1b6c078f307b9060e078ad290af4 5193 5188 2017-05-14T13:29:31Z JayFoxRox 2 /* CXBX kingofc's dev version */ wikitext text/x-wiki Cxbx was a HLE Xbox emulation project started by Caustik around 2002. The name is an abreviation for "Caustiks Xbox". Its official website can be found on [http://www.caustik.com/cxbx/ Caustiks Cxbx page] == CXBX kingofc's dev version == The website for this fork can be found at [http://www.caustik.com/kingofc/] It focused on partial LLE{{citation needed}}. == Blueshogun's Cxbx == The website for this fork is [http://shogun3d-cxbx.blogspot.de/ blueshoguns blog] == Cxbx-Reloaded == [[Cxbx-Reloaded|This fork has it's own article]] 33ad1bdab1b74411d3c915b232a6d6242a4a127c 0 3695 5189 5163 2017-05-14T13:17:42Z JayFoxRox 2 wikitext text/x-wiki xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes. The official homepage can be found at [http://xqemu.com xqemu.com] == Compatiblity list == The following list was almost entirely created by [https://www.youtube.com/user/pcmaker2 pcmaker (also known as John Godgames)] around 2015. Meaning of the status fields: {| class="wikitable" !Status !Meaning |- |Nothing |Not showing anything due to error |- |Intro |Shows something as Intro / Menu |- |Ingame |Ingame (Graphical bugs) |- |Playable* |Partially playable or expected to be fully playable but not tested completly yet |- |Playable |Partially playable / Fully playable |} {{:XQEMU/Compatibility List}} == XQEMU-JFR == XQEMU-JFR is a now defunct fork of XQEMU by JayFoxRox. Most of the changes have since been integrated back into the official version of XQEMU. The archived version can be found at https://github.com/JayFoxRox/xqemu-jfr 78c40b889703953d38ac8e0b0c49095a278e0dfb 10 3702 5190 2017-05-14T13:26:26Z JayFoxRox 2 Stolen from some other wiki wikitext text/x-wiki ^{[''[[wikipedia:Citation needed|<span title="This claim needs references to reliable sources">citation&nbsp;needed</span>]]'']}<includeonly>{{ #switch: {{NAMESPACE}} | {{ns:2}} | {{TALKSPACE}} = <!-- no category for user or talk pages --> | #default = [[Category:Citation needed]] }}</includeonly><noinclude> ==Documentation== ''<nowiki>{{citation needed}}</nowiki>'' * Tells a visitors that the statement is not supported by any form of given evidence. * Displays: ^{[''[[wikipedia:Citation needed|<span title="This claim needs references to reliable sources">citation&nbsp;needed</span>]]'']} * If you see citation needed somewhere, try to prove it (or to prove it's wrong) <noinclude> [[Category:Templates|{{PAGENAME}}]]</noinclude> 7a96a1437fe4af05b3d97b27081336b08a6277d6 5191 5190 2017-05-14T13:28:10Z JayFoxRox 2 Meh.. our wiki doesn't do this right wikitext text/x-wiki ^{[''[[wikipedia:Citation needed|<span title="This claim needs references to reliable sources">citation&nbsp;needed</span>]]'']}<noinclude> ==Documentation== ''<nowiki>{{citation needed}}</nowiki>'' * Tells a visitors that the statement is not supported by any form of given evidence. * Displays: ^{[''[[wikipedia:Citation needed|<span title="This claim needs references to reliable sources">citation&nbsp;needed</span>]]'']} * If you see citation needed somewhere, try to prove it (or to prove it's wrong) <noinclude> [[Category:Templates|{{PAGENAME}}]]</noinclude> a9dae98cb1ac6a031f6fc179aa5c749f3f2aa62e 0 3681 5192 5030 2017-05-14T13:28:29Z JayFoxRox 2 wikitext text/x-wiki The CPU in the Xbox was a custom Pentium 3 running at 733MHz. The 'custom' part of this was that that the Pentium 3 in the Xbox was that it had only 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [https://software.intel.com/en-us/articles/intel-sdm Intel® 64 and IA-32 Architectures Software Developer Manuals] (Sorry, I can't find just the documentation for the Pentium 3. Enjoy 4600+ pages, half of which is irrelevant!) ae6463a56c4a878162956dfd0574af5456984681 0 4 5194 5168 2017-05-14T13:31:11Z JayFoxRox 2 Remove the fixed table width to look less stupid wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this ^[Ref]] | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* f08f4b93f8892e296cd087851ce28d909e6e0093 0 3670 5209 5035 2017-05-14T20:04:07Z JayFoxRox 2 /* References */ wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[MCPX Dumping]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xqemu-tools/blob/master/disassemble-mcpx.sh disassemble-mcpx.sh: A bash-script to disassemble/annotate MCPX 1.0 dumps] f922541222747a5115a5fed6d7fc5fcf8a55bae4 0 14 5211 33 2017-05-14T20:11:25Z JayFoxRox 2 <code> -> <pre> wikitext text/x-wiki == Fullscreen blit shader == <pre> v0.xy { {0,0} {0,1} {1,1} {1,0} } surfaceSize = {640,480} clipRange = {0,16777215} c[58] = { 320, -240, 16777215, 0 } c[59] = { 320.53125, 240.53125, 0, 0} c[100] = { 640, 480, 0, 5.06639553e-05} c[101] = { 0, 0, 0, 1} c[102] = {1/320, -1/240, 1, 1} c[103] = { 1, -1, 0, 0} c[104] = { 0, 0, 0, 0} c[105] = { 320, -240, 16777215, 0 } c[106] = { 320.53125, 240.53125, 0, 0} /* Slot 0: 0x00000000 0x002D001B 0x0C36106C 0x28200FF8 */ // R2.x = 0.0; MOV(R2,x, c[104]); /* Slot 1: 0x00000000 0x002CC01B 0x0C36106C 0x2F900FF8 */ // R9 = {1/320, -1/240, 1, 1} MOV(R9,xyzw, c[102]); /* Slot 2: 0x00000000 0x024CE200 0x2636186C 0x2C50F81C */ // R5.xy = R2.x * { -1, +1 } // -> R5.xy = 0.0 .. FIXME: This makes no sense? R2.x was just set to zero?! [from C104.x !!] // oD0 = v1 MUL(R5,xy, R2.x, -c[103]); MOV(oD0,xyzw, v1); /* Slot 3: 0x00000000 0x006CC0AA 0x0C36146C 0x98300FF8 */ ADD(R3,x, c[102].z, -R2); // -> R3.x = C[102].z = 1.0 /* Slot 4: 0x00000000 0x008CC000 0x242A1800 0xDC400FF8 */ MAD(R4,xy, R2.x, c[102].xy, R3.x); // -> R4.xy = R3.xx = {1,1} /* Slot 5: 0x00000000 0x008D2000 0x242A1800 0xDC600FF8 */ MAD(R6,xy, R2.x, c[105].xy, R3.x); // -> R6.xy = R3.xx = {1,1} /* Slot 6: 0x00000000 0x004D4000 0x242A186C 0x2C700FF8 */ MUL(R7,xy, R2.x, c[106].xy); // -> R7.xy = 0.0 /* Slot 7: 0x00000000 0x0080041B 0x0836886D 0x5C800FF8 */ MAD(R8,xy, v2, R4, R5); // -> R8 = v2 * R4 = v2 oT0.xy = R8 * R6 + R7 // -> v2 oT1.xy = R8 * R6 + R7 // -> v2 /* Slot 8: 0x00000000 0x004CA01A 0x0C37286C 0x2FA00FF8 */ MUL(R10,xyzw, c[101].xyz, R9); /* Slot 11: 0x00000000 0x006CE01B 0xA436146C 0x3070F800 */ ADD(oPos,xyzw, R10, -c[103]); /* Slot 12: 0x00000000 0x004C8015 0x942A186C 0x2CB00FF8 */ MUL(R11,xy, R9.xy, c[100].xy); /* Slot 13: 0x00000000 0x00800015 0x082B6857 0x1070C800 */ MAD(oPos,xy, v0.xy, R11.xy, R12.xy); SET FOG: /* Slot 14: 0x00000000 0x004C80FF 0x0DFF886C 0x20708828 */ MUL(oFog,x, c[100].w, R12.w); DO VIEWPORT TRANSFORM: /* Slot 15: 0x00000000 0x0047401B 0xC436186C 0x2070C800 */ MUL(oPos,xy, R12, c[58]); /* Slot 16: 0x00000000 0x0067601B 0xC436106C 0x3070C801 */ ADD(oPos,xy, R12, c[59]); SPACE CONVERSION [XQEMU only]: if (oPos.w == 0.0 || isinf(oPos.w)) { vtx.inv_w = 1.0; } else { vtx.inv_w = 1.0 / oPos.w; } oPos.x = 2.0 * (oPos.x - surfaceSize.x * 0.5) / surfaceSize.x; oPos.y = -2.0 * (oPos.y - surfaceSize.y * 0.5) / surfaceSize.y; if (clipRange.y != clipRange.x) { oPos.z = (oPos.z - 0.5 * (clipRange.x + clipRange.y)) / (0.5 * (clipRange.y - clipRange.x)); } if (oPos.w <= 0.0) { oPos.xyz *= oPos.w; } else { oPos.w = 1.0; } /* Make the world a happy place! */ #if 1 oFog.xyzw = vec4(1.0); oPos.xy = v0.xy; oPos.y *= -1.0; oPos.z = 0.5; oPos.w = 1.0; vtx.inv_w = 1.0; #endif </pre> 8d488ea3b212db3fc0de6cc913976ea14d31e31d 0 3703 5215 2017-05-15T09:43:21Z JayFoxRox 2 Trying to condense non-official xbox stuff to a minimum. I'll probably add most emu articles below into one giant meta-page wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable" !Status !Approach !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |[[XQEMU]] | |espes |Windows | | |- |Maintained |LLE/HLE Hybrid |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | | |- |Dead |HLE |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |[http://dxbx-emu.com Dxbx] | |PatrickVL{{citation needed}} |Windows | | |- |Unknown |Unknown |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |Unknown |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |Unknown |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |[[Hackbox]] | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to other developers. |- |Unknown |LLE |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE with bios HLE |[http://mamedev.org/ MAME/Chihiro] | |MAME Team |Windows/Linux/Mac/Others | | |- |Unknown |LLE with bios HLE |[http://mamedev.org/ MAME/Xbox] | |MAME Team |Windows/Linux/Mac/Others | |Does this exist yet?{{citation needed}} |- |Dead |Unknown |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead |Unknown |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} c99c19e0d74b826cd79bd27e8ab5d6a04b5f7335 5217 5215 2017-05-15T09:51:15Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable" !Status !Approach !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |[[XQEMU]] | |espes |Windows | | |- |Maintained |LLE/HLE Hybrid |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | | |- |Dead |HLE |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |[http://dxbx-emu.com Dxbx] | |PatrickVL{{citation needed}} |Windows | | |- |Unknown |Unknown |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |Unknown |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |Unknown |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |[[Hackbox]] | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. |- |Unknown |LLE |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE with bios HLE |[http://mamedev.org/ MAME/Chihiro] | |MAME Team |Windows/Linux/Mac/Others | | |- |Unknown |LLE with bios HLE |[http://mamedev.org/ MAME/Xbox] | |MAME Team |Windows/Linux/Mac/Others | |Does this exist yet?{{citation needed}} |- |Dead |Unknown |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead |Unknown |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} 7797db4b7e53bfd3a8fc81be3ebe5e67d4f9b61a 5218 5217 2017-05-15T12:06:34Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable" !Status !Approach !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |[[XQEMU]] | |espes |Windows | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |LLE/HLE Hybrid |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |Unknown |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |Unknown |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE with bios HLE |[http://mamedev.org/ MAME/Chihiro] | |MAME Team |Windows/Linux/Mac/Others | | |- |Unknown |LLE with bios HLE |[http://mamedev.org/ MAME/Xbox] | |MAME Team |Windows/Linux/Mac/Others | |Does this exist yet?{{citation needed}} |- |Dead |Unknown |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead |Unknown |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} ccea8854e27d49837de768669fd65fd664dc7a7e 0 3674 5220 5072 2017-05-15T13:28:34Z Eighthpence 2472 wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[BIOS]] and [[MCPX ROM]] are also mapped to memory at the top 16MB and the top 512bytes respectively. On Debug Xboxs and Chihiro, only the BIOS is mapped. {| class="wikitable" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |BIOS |0xFF000000 - 0xFFFFFFFF |0xFF000000 - 0xFFFFFFFF |- |MCPX |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MAIN_MEMORY 128 * 1024 * 1024 int mcpx_active = 0; #else #define MAIN_MEMORY 64 * 1024 * 1024 int mcpx_active = 1; #endif #define BIOS_SIZE 256 * 1024 #define BIOS_MEMORY_SIZE 16 * 1024 * 1024 #define BIOS_MEMORY (0xFFFFFFFF - BIOS_MEMORY_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MEMORY (0xFFFFFFFF - MCPX_SIZE + 1) uint8_t memory[MAIN_MEMORY] = {0}; uint8_t bios[BIOS_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MAIN_MEMORY) { return memory[location]; } if (mcpx_active && location >= MCPX_MEMORY) { return mcpx[location - MCPX_MEMORY]; } if (location >= BIOS_MEMORY) { return bios[(location - BIOS_MEMORY) % BIOS_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 73a5aa3e9f513dd796ca4e592111bbc9bb499d6e 0 3670 5221 5209 2017-05-15T21:05:36Z JayFoxRox 2 /* Dumping the MCPX ROM */ wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. After Microsoft found this out, they changed the algorithm to a TEA algorithm. The code on the chips is largely the same, but for those two differences. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[MCPX ROM Dumping]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xqemu-tools/blob/master/disassemble-mcpx.sh disassemble-mcpx.sh: A bash-script to disassemble/annotate MCPX 1.0 dumps] 3a03353d94fb8158eb0d5f53007ced1eb86d85e0 0 3 5222 5184 2017-05-16T01:29:07Z Mborgerson 2478 wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom MCPX ROM Disassembly] * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == About emulation == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] == History == * [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php Designing the Boot Sound for the Original Xbox (Brian Schmidt)] * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past] ebdacd60372019dd63bddfb02e50dcac9a6bb8ab 5224 5222 2017-05-16T10:03:34Z JayFoxRox 2 Moved some resources to related articles wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php Designing the Boot Sound for the Original Xbox (Brian Schmidt)] * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past] 78cf422435b74f038f9cd2d84a367ce6ac63c16d 5228 5224 2017-05-16T10:09:27Z JayFoxRox 2 Moved to "DVD Drive" article wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php Designing the Boot Sound for the Original Xbox (Brian Schmidt)] * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past] bac2ebaf425580e78c4676b6e046252ec87fd64b 0 3703 5223 5218 2017-05-16T10:02:58Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable" !Status !Approach !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |[[XQEMU]] | |espes |Windows | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |LLE/HLE Hybrid |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |Unknown |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |Unknown |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |Unknown |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE with bios HLE |[http://mamedev.org/ MAME/Chihiro] | |MAME Team |Windows/Linux/Mac/Others | | |- |Unknown |LLE with bios HLE |[http://mamedev.org/ MAME/Xbox] | |MAME Team |Windows/Linux/Mac/Others | |Does this exist yet?{{citation needed}} |- |Dead |Unknown |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead |Unknown |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 529b462b37c43820ce8d964db78c7e08823c2610 5251 5223 2017-05-19T11:25:31Z JayFoxRox 2 Tried to be more specific about approaches wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable" !Status !Approach !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |[[XQEMU]] | |espes |Windows | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |LLE/HLE Hybrid |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |HLE |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |Unknown |HLE |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |LLE/HLE Hybrid |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |HLE |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE with MCPX ROM HLE |[http://mamedev.org/ MAME/Chihiro] | |MAME Team |Windows/Linux/Mac/Others | | |- |Unknown |LLE with MCPX ROM HLE |[http://mamedev.org/ MAME/Xbox] | |MAME Team |Windows/Linux/Mac/Others | |Does this exist yet?{{citation needed}} |- |Dead |Unknown |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead |LLE/HLE Hybrid |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 30e3a8fbc8dbb333c487122e1fabb91783c2c8d3 5252 5251 2017-05-19T11:26:23Z JayFoxRox 2 Make table sortable wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |[[XQEMU]] | |espes |Windows | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |LLE/HLE Hybrid |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |HLE |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |Unknown |HLE |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |LLE/HLE Hybrid |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |HLE |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE with MCPX ROM HLE |[http://mamedev.org/ MAME/Chihiro] | |MAME Team |Windows/Linux/Mac/Others | | |- |Unknown |LLE with MCPX ROM HLE |[http://mamedev.org/ MAME/Xbox] | |MAME Team |Windows/Linux/Mac/Others | |Does this exist yet?{{citation needed}} |- |Dead |Unknown |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead |LLE/HLE Hybrid |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 92174582eebacd6c4e1b1f7f72c21939114e63fc 0 1 5225 5216 2017-05-16T10:05:12Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] ** [[DVD Drive]] [[Xbox Game Disc]] ** [[USB]] [[Xbox Input Devices]] * [[Xbox Debug Monitor]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation * [[Emulators]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] ceb7d36bae5f3e57d942c708070958f99dc2ef43 5226 5225 2017-05-16T10:06:40Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] ** [[DVD Drive]] ** [[USB]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[Xbox Debug Monitor]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation * [[Emulators]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] f4d1fd6a5c2fa47ad1c8613a7747e8970ad7d838 5248 5226 2017-05-19T06:01:41Z KaosEngineer 2482 Missing one piece of hardware -- the Hard drive. wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] ** [[DVD Drive]] ** [[Hard Drive]] ** [[USB]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[Xbox Debug Monitor]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] Games * [[Engine List]] * [[Games/Azurik: Rise of Perathia]] * [[Games/Grand Theft Auto 3]] * [[Games/Grand Theft Auto Vice City]] * [[Games/Grand Theft Auto San Andreas]] * [[Games/Kung Fu Chaos]] * [[Games/Tony Hawk's Pro Skater 2x]] Emulation * [[Emulators]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] bce52a49c9ba9f1753bb17de386bc1de5d5775a3 0 3704 5227 2017-05-16T10:08:46Z JayFoxRox 2 Created page with "The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast..." wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] 383436d441ebc1e1debc1c66e1d024cc36230599 0 3672 5229 5219 2017-05-16T11:25:35Z JayFoxRox 2 /* References */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == Known Retail BIOSs == * 3944 * 4034 * 4134 * 4817 * 5101 * 5530 * 5713 * 5838 == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 6caa3757a22e5093c74dbf4fa1fd9edb55ef709d 5236 5229 2017-05-17T19:39:04Z Eighthpence 2472 /* Known Retail BIOSs */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 0dc24267966f86cb2554fbad1ae79ce970668c8a 0 3700 5230 5206 2017-05-16T11:27:32Z JayFoxRox 2 Added redump links wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ Dumping Guide by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 670fab93547fea78dc5cdd16f7b7f93f08235bfc 5231 5230 2017-05-16T14:47:13Z JayFoxRox 2 Added list of drives. wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Firmware |- |{{citation needed}} | |0800 |- |Toshiba SD-M2012C |IDE |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |Kreon (October 9th 2007) |- |Samsung SH-D162D |IDE |Kreon (November 18th 2007) |- |Toshiba TS-H352C |IDE |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA |Kreon (October 9th 2007) |- |Samsung SH-D163B |SATA |Kreon (November 18th 2007) |- |Toshiba TS-H353A |SATA |{{citation needed}} |- |Toshiba TS-H353B |SATA |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 206d094a499ef8780620bbf7e93f91ef07bcdc7a 5247 5231 2017-05-18T17:21:12Z JayFoxRox 2 Added some hard to find flashing tools and original firmwares from Samsung wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |Kreon (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |Kreon (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |Kreon (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] dbc9492f547bcd7c21c85f7202403775df4beab9 5256 5247 2017-05-20T14:04:22Z JayFoxRox 2 Added list of Kreon 1.00 commands from the README wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |Kreon (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |Kreon (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 1b2008e7e6fe16fe41518cdebb35ee9aec99ac70 0 4 5233 5194 2017-05-16T21:38:53Z JayFoxRox 2 Fixed bug in markup wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced ^[Ref]][http://www.extremegamer.ca/xbox/games/combat121.php ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au ^[Ref]][http://pc.ign.com/objects/665/665243.html ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando ^[Ref]]</ref>[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 ^[Ref]] | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E ^[Ref]] | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html ^[Ref]] | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from [https://en.wikipedia.org/wiki/List_of_CryEngine_games here], [https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], [https://en.wikipedia.org/wiki/Id_Tech_3 here], and [https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 000a012b5aef5687aef450f15d31d2715b306406 5234 5233 2017-05-16T21:41:02Z JayFoxRox 2 Fixed link markup wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}</ref>^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from <sup>[https://en.wikipedia.org/wiki/List_of_CryEngine_games here], <sup>[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], <sup>[https://en.wikipedia.org/wiki/Id_Tech_3 here], and <sup>[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* a3f860734f0027072a0a0a3cfd5ad4b3286ff1c4 5235 5234 2017-05-16T21:42:07Z JayFoxRox 2 One link was still broken wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein |- | Soldier of Fortune II: Double Helix |- | Star Wars Jedi Knight II: Jedi Outcast |- | Star Wars Jedi Knight: Jedi Academy |- | James Bond 007: Everything or Nothing |- | James Bond 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from <sup>[https://en.wikipedia.org/wiki/List_of_CryEngine_games here], <sup>[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], <sup>[https://en.wikipedia.org/wiki/Id_Tech_3 here], and <sup>[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 9adb1c2fd844173bee4864026aeb45861250845c 5258 5235 2017-05-21T16:30:10Z JayFoxRox 2 /* id Tech 3 */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein: Tides of War |- | Soldier of Fortune II: Double Helix |- | Star Wars: Jedi Knight II: Jedi Outcast |- | Star Wars: Jedi Knight: Jedi Academy |- | 007: Everything or Nothing |- | 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout: Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Harry Potter and the Order of the Phoenix | 2007 | Nintendo DS, PlayStation 2, PSP, Windows, Wii, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | MLB 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 20-03 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | NRL Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | S.C.A.R. - Squadra Corse Alfa Romeo / Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from <sup>[https://en.wikipedia.org/wiki/List_of_CryEngine_games here], <sup>[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], <sup>[https://en.wikipedia.org/wiki/Id_Tech_3 here], and <sup>[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 02110e0236a3fd75f34c4e3b25112f42b9903be1 5259 5258 2017-05-21T16:38:50Z JayFoxRox 2 /* Renderware */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein: Tides of War |- | Soldier of Fortune II: Double Helix |- | Star Wars: Jedi Knight II: Jedi Outcast |- | Star Wars: Jedi Knight: Jedi Academy |- | 007: Everything or Nothing |- | 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | Major League Baseball 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 2003 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop: Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie Game | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose: A Gunslinger's Tale in Mexico | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers In Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers In Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations(City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic: The Gathering - Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor: Vietnam | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3: Raven Shield | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from <sup>[https://en.wikipedia.org/wiki/List_of_CryEngine_games here], <sup>[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here], <sup>[https://en.wikipedia.org/wiki/Id_Tech_3 here], and <sup>[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* d8faf2de166b5aec8ee0273ad94e3948dbffbae3 5261 5259 2017-05-21T16:47:50Z JayFoxRox 2 /* Unreal Engine 2 */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein: Tides of War |- | Soldier of Fortune II: Double Helix |- | Star Wars: Jedi Knight II: Jedi Outcast |- | Star Wars: Jedi Knight: Jedi Academy |- | 007: Everything or Nothing |- | 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | Major League Baseball 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 2003 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop: Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie Game | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose: A Gunslinger's Tale in Mexico | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers in Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers in Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121<br>America's Secret Operations (City Interactive Europe version) | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic the Gathering: Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon: Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3 | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin<br>Battlestrike: Secret Weapons(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima<br>The Heat of War(City Interactive Europe version) | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 392ad97a3dbd9da95a1c83b723d6ff36f8d7b8e0 5262 5261 2017-05-21T16:55:34Z JayFoxRox 2 Remove alternative titles wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | Counter-Strike |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | Return to Castle Wolfenstein: Tides of War |- | Soldier of Fortune II: Double Helix |- | Star Wars: Jedi Knight II: Jedi Outcast |- | Star Wars: Jedi Knight: Jedi Academy |- | 007: Everything or Nothing |- | 007: Agent Under Fire |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | Half-Life 2 |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | Far Cry Instincts | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | Far Cry Instincts: Evolution | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | AFL Live 2003 | 2002 | PlayStation 2, Xbox | IR Gurus |- | AFL Live 2004 | 2003 | PlayStation 2, Xbox | IR Gurus |- | AFL Live Premiership Edition | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | Major League Baseball 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 2003 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop: Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | Tech Deck: Bare Knuckle Grind | 2005 | Xbox | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie Game | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose: A Gunslinger's Tale in Mexico | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers in Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers in Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121 | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic the Gathering: Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon: Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3 | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 56de857b2fbf9004411fe9b03391f6c4571b70b1 0 8 5237 35 2017-05-17T23:50:42Z JayFoxRox 2 Cleanup links and add a super userful nvidia doc wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?) == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf b0053ccc9f4e4e04138e6669033bd0f0742b97e7 5265 5237 2017-05-21T23:41:52Z JayFoxRox 2 /* References and links */ wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?) == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf b17fda35a4c436dae9f49062f1d493f95cc57d1c 5266 5265 2017-05-21T23:51:28Z JayFoxRox 2 Table for texturemodes wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?) == Texturing modes == {|class="wikitable" !ID !Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE |* |* |* |* | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |* |* |* |* | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |* |* |* |* | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |* |* |* |* | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |* |* |* |* | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |* |* |* |* | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP | |* |* |* | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM | |* |* |* | |- |0x08 |PS_TEXTUREMODES_BRDF | | |* |* | |- |0x09 |PS_TEXTUREMODES_DOT_ST | | |* |* | |- |0x0A |PS_TEXTUREMODES_DOT_ZW | | |* |* | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF | | |* | | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC | | | |* | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D | | | |* | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE | | | |* | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR | |* |* |* | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB | |* |* |* | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT | |* |* | | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST | | | |* | |} == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf 6b89ed0b5fc21b55f7b775fdb9b5910786eb5bbd 5267 5266 2017-05-21T23:59:47Z JayFoxRox 2 Attempted to add D3D names wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?) == Texturing modes == {|class="wikitable" !ID !Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE<br>texcoord?{{citation needed}} |* |* |* |* | |- |0x01 |PS_TEXTUREMODES_PROJECT2D<br>tex |* |* |* |* | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |* |* |* |* | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |* |* |* |* | |- |0x04 |PS_TEXTUREMODES_PASSTHRU<br>texcoord?{{citation needed}} |* |* |* |* | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE<br>texkill |* |* |* |* | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP<br>texbem | |* |* |* | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM<br>texbeml | |* |* |* | |- |0x08 |PS_TEXTUREMODES_BRDF<br>texm3x2tex | | |* |* | |- |0x09 |PS_TEXTUREMODES_DOT_ST<br>texm3x2pad?{{citation needed}} | | |* |* | |- |0x0A |PS_TEXTUREMODES_DOT_ZW<br>texm3x2tex?{{citation needed}} | | |* |* | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF | | |* | | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC | | | |* | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D | | | |* | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE | | | |* | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR<br>texreg2ar | |* |* |* | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB<br>texreg2gb | |* |* |* | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT | |* |* | | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST | | | |* | |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf cde892f34466204bc531a8e04fee531f14a10fa4 0 3705 5239 2017-05-18T11:33:54Z Wayo 2479 Created page with "This is used to find the Xbox Public RSA-2048 Key. This key is used to verify the signed XBE executables. == XBE signing process == The XBE signing process consists of two s..." wikitext text/x-wiki This is used to find the Xbox Public RSA-2048 Key. This key is used to verify the signed XBE executables. == XBE signing process == The XBE signing process consists of two stages: 1. Calculate a SHA-1 hash of the contents of each of the XBE sections and store it in a table in the XBE header. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. The hash is then encrypted with a 2048-bit RSA private key. The signature of all official titles has been encrypted with The resulting encrypted hash ''signature'' stored near after the XBE header XBEH ''magic'' field, in the ''digital signature'' field. == XBE signature verification == When an Xbox verifies an executable, a similar process is followed: 1. All the XBE section hashes are recalculated and compared to the ones stored in the XBE header section table. If these don't match, verification fails. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. 3. The ''digital signature'' field from the XBE is decrypted with the 2048-bit RSA public key and compared to the SHA-1 hash of the XBE header. Finally, if the two values match, the game is verified. 1459d2b4eff187d522d7423d493eb52f441bcdfc 5240 5239 2017-05-18T13:44:37Z Wayo 2479 wikitext text/x-wiki This is used to find the Xbox Public RSA-2048 Key. This key is used to verify the signed XBE executables. struct RSA_PUBLIC_KEY { char Magic[4]; // "RSA1" unsigned int Bloblen; // 264 (Modulus + Exponent + Modulussize) unsigned char Bitlen[4]; // 2048 unsigned int ModulusSize; // 255 (bytes in the Modulus) unsigned char Exponent[4]; unsigned char Modulus[256]; // Bit endian style unsigned char Privatekey[256]; // Private Key -- Big endian style }; struct RSA_PUBLIC_KEY xePublicKeyData; == XBE signing process == The XBE signing process consists of two stages: 1. Calculate a SHA-1 hash of the contents of each of the XBE sections and store it in a table in the XBE header. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. The hash is then encrypted with a 2048-bit RSA private key. The signature of all official titles has been encrypted with The resulting encrypted hash ''signature'' stored near after the XBE header XBEH ''magic'' field, in the ''digital signature'' field. == XBE signature verification == When an Xbox verifies an executable, a similar process is followed: 1. All the XBE section hashes are recalculated and compared to the ones stored in the XBE header section table. If these don't match, verification fails. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. 3. The ''digital signature'' field from the XBE is decrypted with the 2048-bit RSA public key and compared to the SHA-1 hash of the XBE header. Finally, if the two values match, the game is verified. == References and links == * [https://github.com/xqemu/xbedump/blob/master/xboxlib.c Xbedump source] 33953cac6c54a20879c86294e1fed0e91b574353 5245 5240 2017-05-18T16:57:40Z Wayo 2479 wikitext text/x-wiki This is used to find the Xbox Public RSA-2048 Key. This key is used to verify the signed [[XBE]] executables. struct RSA_PUBLIC_KEY { char Magic[4]; // "RSA1" unsigned int Bloblen; // 264 (Modulus + Exponent + Modulussize) unsigned char Bitlen[4]; // 2048 unsigned int ModulusSize; // 255 (bytes in the Modulus) unsigned char Exponent[4]; unsigned char Modulus[256]; // Bit endian style unsigned char Privatekey[256]; // Private Key -- Big endian style }; struct RSA_PUBLIC_KEY xePublicKeyData; == XBE signing process == The XBE signing process consists of two stages: 1. Calculate a SHA-1 hash of the contents of each of the XBE sections and store it in a table in the XBE header. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. The hash is then encrypted with a 2048-bit RSA private key. The signature of all official titles has been encrypted with The resulting encrypted hash ''signature'' stored near after the XBE header XBEH ''magic'' field, in the ''digital signature'' field. == XBE signature verification == When an Xbox verifies an executable, a similar process is followed: 1. All the XBE section hashes are recalculated and compared to the ones stored in the XBE header section table. If these don't match, verification fails. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. 3. The ''digital signature'' field from the XBE is decrypted with the 2048-bit RSA public key and compared to the SHA-1 hash of the XBE header. Finally, if the two values match, the game is verified. == References and links == * [https://github.com/xqemu/xbedump/blob/master/xboxlib.c Xbedump source] 24b8b7115bd84a60b8eaef18ef0d63376a827a3a 5246 5245 2017-05-18T16:58:03Z Wayo 2479 wikitext text/x-wiki This is used to find the Xbox Public RSA-2048 Key. This key is used to verify the signed [[Xbe]] executables. struct RSA_PUBLIC_KEY { char Magic[4]; // "RSA1" unsigned int Bloblen; // 264 (Modulus + Exponent + Modulussize) unsigned char Bitlen[4]; // 2048 unsigned int ModulusSize; // 255 (bytes in the Modulus) unsigned char Exponent[4]; unsigned char Modulus[256]; // Bit endian style unsigned char Privatekey[256]; // Private Key -- Big endian style }; struct RSA_PUBLIC_KEY xePublicKeyData; == XBE signing process == The XBE signing process consists of two stages: 1. Calculate a SHA-1 hash of the contents of each of the XBE sections and store it in a table in the XBE header. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. The hash is then encrypted with a 2048-bit RSA private key. The signature of all official titles has been encrypted with The resulting encrypted hash ''signature'' stored near after the XBE header XBEH ''magic'' field, in the ''digital signature'' field. == XBE signature verification == When an Xbox verifies an executable, a similar process is followed: 1. All the XBE section hashes are recalculated and compared to the ones stored in the XBE header section table. If these don't match, verification fails. 2. Calculate a SHA-1 hash of the XBE header, except for the ''magic'' 'XBEH' value and the ''digital signature'' field. 3. The ''digital signature'' field from the XBE is decrypted with the 2048-bit RSA public key and compared to the SHA-1 hash of the XBE header. Finally, if the two values match, the game is verified. == References and links == * [https://github.com/xqemu/xbedump/blob/master/xboxlib.c Xbedump source] bab5b2388435ace5743cdaa5d180c032221e4e70 0 12 5241 5049 2017-05-18T13:53:11Z Wayo 2479 /* List of known versions */ wikitext text/x-wiki The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions == * 3424 (alpha?) * 3911 (*) * 3925 (*) * 3936 (*) * 3937 (*) * 3941 (*) * 3948 (*) * 3950 (*) * 4020 (Seen on an official Xbox recovery tool) * 4034 (*) * 4039 (*) * 4134 (*) * 4242 (*) * 4361 * 4400 (rare) * 4432 * 4531 * 4627 * 4721 * 4831 * 4928 * 5028 * 5120 * 5233 * 5344 * 5455 * 5558 * 5659 * 5788 * 5849 (Dec 2003) * 5849.16 * 5933 (uncertain number - Dxbx code mentions 5911) * 5960 (last official dashboard) (*) : Earlier XDK's contained libraries with different versions numbers. Before or around XDK version 4361, all libraries in the XDK were given the same version number. Note : An even more complete listing can be found here : http://codeasm.com/xbox/files/Xbox%20Kernel_Dash_XDK%20versions.txt 67b55f8afe8d9522372705861552a51d1e248e27 5242 5241 2017-05-18T14:05:15Z Wayo 2479 /* List of known versions */ wikitext text/x-wiki The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions == {| class="wikitable" ! Version ! Comments |- ! 3424 | April 2001 XDK and SDK (03.01.01 - New for April XDK release) |- ! 3911 | August XDK 2001 (( Final Hardware Recovery) (build on WIN2000 5. 2134/2195 ? 5.1.2258.400)(*) |- ! 3925 | Retail? XDK(*) |- ! 3936 | (*) |- ! 3937 | (*) |- ! 3941 | (*) |- ! 3948 | (*) |- ! 3950 | (*) |- ! 4020 | Seen on an official Xbox recovery tool |- ! 4034 | (*) |- ! 4039 | (*) |- ! 4134 | December 2001 XDK (*) |- ! 4242 | February 2002 XDK (*) |- ! 4361 | March 2002 XDK |- ! 4400 | Barnabas XDK - rare |- ! 4432 | April 2002 XDK |- ! 4531 | May 2002 XDK |- ! 4627 | June 2002 XDK |- ! 4721 | July 2002 XDK |- ! 4831 | August 2002 XDK |- ! 4928 | September 2002 XDK |- ! 5028 | October 2002 XDK |- ! 5120 | November 2002 XDK |- ! 5233 | December 2002 XDK |- ! 5344 | February 2003 XDK |- ! 5455 | April 2003 XDK |- ! 5558 | June 2003 XDK |- ! 5659 | August 2003 XDK |- ! 5788 | November 2003 XDK |- ! 5849 | December 2003 XDK |- ! 5849 | .16 |- ! 5933 | uncertain number - Dxbx code mentions 5911 |- ! 5960 | last official dashboard |} (*) : Earlier XDK's contained libraries with different versions numbers. Before or around XDK version 4361, all libraries in the XDK were given the same version number. Note : An even more complete listing can be found here : http://codeasm.com/xbox/files/Xbox%20Kernel_Dash_XDK%20versions.txt ef839f9dd2708d282e67524a11f7718c69a157d8 0 3706 5243 2017-05-18T16:50:42Z Wayo 2479 Created page with "XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsof..." wikitext text/x-wiki XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm] d4e18cede06f4a436da8a68116b79bcb3267bc7e 5244 5243 2017-05-18T16:56:58Z Wayo 2479 /* Resources and links */ wikitext text/x-wiki XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] a6c1831d67b9ad1bb93f3a2cfacf9f67064dc699 0 3707 5249 2017-05-19T06:03:38Z KaosEngineer 2482 Created page with "The original Xbox hard disk drive was 8GB in size. Later releases, 1.4's had 10GB drives; however, only the first 8GB of the drive was used." wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.4's had 10GB drives; however, only the first 8GB of the drive was used. b24aaf90645456920b8aff46dbb3ce764115025c 5250 5249 2017-05-19T06:08:54Z KaosEngineer 2482 wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. 36dd315024a3d4d8adf83ac289e5af684e5da51d 5253 5250 2017-05-20T00:59:30Z Mborgerson 2478 Add partition info, stub other sections wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Models == {| class="wikitable |- ! Xbox Version ! Manufacturer ! Model Number ! Capacity |- | 1.0? | ? | ? | 8G |- | 1.3+ | Seagate | ? | 10G |} == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the EEPROM data. == How To: Backup an HDD == '''FIXME''' == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] 9b85ecf156210287c094d0c012ac270a1c64e0a8 5255 5253 2017-05-20T07:19:15Z JayFoxRox 2 EEPROM Link wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Models == {| class="wikitable |- ! Xbox Version ! Manufacturer ! Model Number ! Capacity |- | 1.0? | ? | ? | 8G |- | 1.3+ | Seagate | ? | 10G |} == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == '''FIXME''' == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] fe23493f1152c9765e648c289b6359030fa455c7 5257 5255 2017-05-20T19:18:21Z Mborgerson 2478 wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Models == {| class="wikitable |- ! Xbox Version ! Manufacturer ! Model Number ! Capacity |- | 1.0? | ? | ? | 8G |- | 1.3+ | Seagate | ? | 10G |} == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] 2dd9ae49781e5ff6832ab32c1a19e3528b80db8f 0 3708 5254 2017-05-20T01:08:41Z Mborgerson 2478 Created page with "The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! P..." wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * [http://hackipedia.org/Disk%20formats/File%20systems/FATX%2C%20File%20Allocation%20Table%20%28X-Box%29/Differences_between_Xbox_FATX_and_MS-DOS_FAT.htm Differences between Xbox FATX and MS-DOS FAT] c97a9e92aae891fb4081e307374959647f1053c2 1 3686 5260 5048 2017-05-21T16:39:16Z JayFoxRox 2 /* Unreleased games */ new section wikitext text/x-wiki Shall we merge this with https://en.wikipedia.org/wiki/List_of_Xbox_games and https://en.wikipedia.org/wiki/List_of_Xbox_games_with_alternate_display_modes ? We could just add a column for the engine so the list could be sorted. We could also add a column for all the XDK versions etc - it would be a massive table, but probably useful? Shall we do this somewhere else? google sheets? Shall we use a program to generate a mediawiki version for this wiki? Eitherway, we'd then create a page for every game to mention further technical details (See "Games/" articles) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:29, 29 March 2017 (PDT) == Unreleased games == How to handle unreleased games like "Tech Deck: Bare Knuckle Grind" ? eb41a6757fe2ac05d02abd9ed0862977540dafe0 5263 5260 2017-05-21T16:57:11Z JayFoxRox 2 wikitext text/x-wiki Shall we merge this with https://en.wikipedia.org/wiki/List_of_Xbox_games and https://en.wikipedia.org/wiki/List_of_Xbox_games_with_alternate_display_modes ? We could just add a column for the engine so the list could be sorted. We could also add a column for all the XDK versions etc - it would be a massive table, but probably useful? Shall we do this somewhere else? google sheets? Shall we use a program to generate a mediawiki version for this wiki? Eitherway, we'd then create a page for every game to mention further technical details (See "Games/" articles) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:29, 29 March 2017 (PDT) == Unreleased games == How to handle unreleased games like "Tech Deck: Bare Knuckle Grind" ? (the list might be incomplete, I believe this was released on PC - no idea what engine though) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 09:57, 21 May 2017 (PDT) 916a57e211bb6094b6dc78742708b6884dbe292b 0 3689 5264 5200 2017-05-21T21:00:13Z Furon 2477 /* External Links */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 471f40aee4ff41572aac6ce1c7e8b1f68ac09927 0 3709 5268 2017-05-22T11:45:42Z JayFoxRox 2 Created page with "=== Switch to Dashboard === <pre> struct LaunchDataPage_Dashboard { uint32_t reason; uint32_t context; uint32_t parameters[2]; uint8_t padding[3072 - 16]; }; </pre>..." wikitext text/x-wiki === Switch to Dashboard === <pre> struct LaunchDataPage_Dashboard { uint32_t reason; uint32_t context; uint32_t parameters[2]; uint8_t padding[3072 - 16]; }; </pre> {| class="wikitable" !<code>reason</code> !<code>parameters[0]</code> !<code>parameters[1]</code> !Note |- |0 = MainMenu | | |- |rowspan="5"|1 = Error |1 = InvalidXbe | | |- |2 = InvalidHdd | | |- |3 = Region | | |- |4 = ParentalControl | | |- |5 = MediaType |Rating which caused this error | |- |2 = Savedata | | | |- |rowspan="5"|3 = Settings flags |0x01 = Clock | | |- |0x02 = Timezone | | |- |0x04 = Language | | |- |0x08 = Video | | |- |0x10 = Audio | | |- |4 = Music | | | |} f0ea6c4d34b6d44a6067860f930d023b0aa57f85 0 3710 5269 2017-05-22T12:14:47Z JayFoxRox 2 Created page with "These are the errors which will be displayed {| class="wikitable" !Value (2 digit decimal) !Meaning |- |0 |No error (used internally to clear error flags from EEPROM) |- |01..." wikitext text/x-wiki These are the errors which will be displayed {| class="wikitable" !Value (2 digit decimal) !Meaning |- |0 |No error (used internally to clear error flags from EEPROM) |- |01 | |- |02 |EEPROM Checksum failure |- |03 | |- |04 |RAM bad |- |05 |Harddrive not locked |- |06 |Unable to unlock Harddrive |- |07 |Harddrive unresponsive{{citation needed}} |- |08 |Harddrive missing |- |09 |Wrong Harddrive{{citation needed}} |- |10 |DVD Drive unresponsive |- |11 |DVD Drive missing |- |12 |Wrong DVD Drive{{citation needed}} |- |13 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (MainMenu) |- |14 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (Error) |- |15 | |- |16 |Dashboard settings error{{citation needed}} |- |17 | |- |18 | |- |19 | |- |20 |Dashboard failed to launch, but DVD security check was successful |- |21 |Used to manually display fatal error after reboot (on purpose) |} 28de008503bff8b9feb22caa86506dc9f4a2f1d9 5270 5269 2017-05-22T12:15:08Z JayFoxRox 2 Fixed typo wikitext text/x-wiki These are the errors which will be displayed {| class="wikitable" !Value (2 digit decimal) !Meaning |- |0 |No error (used internally to clear error flags from EEPROM) |- |01 | |- |02 |EEPROM Checksum failure |- |03 | |- |04 |RAM bad |- |05 |Harddrive not locked |- |06 |Unable to unlock Harddrive |- |07 |Harddrive unresponsive{{citation needed}} |- |08 |Harddrive missing |- |09 |Wrong Harddrive{{citation needed}} |- |10 |DVD Drive unresponsive |- |11 |DVD Drive missing |- |12 |Wrong DVD Drive{{citation needed}} |- |13 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (MainMenu) |- |14 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 1</code> (Error) |- |15 | |- |16 |Dashboard settings error{{citation needed}} |- |17 | |- |18 | |- |19 | |- |20 |Dashboard failed to launch, but DVD security check was successful |- |21 |Used to manually display fatal error after reboot (on purpose) |} 568b8f3dbc41d2a57bc58fd3a8da50f0f8e8a059 5271 5270 2017-05-22T12:15:27Z JayFoxRox 2 Meh.. 0 -> 00 wikitext text/x-wiki These are the errors which will be displayed {| class="wikitable" !Value (2 digit decimal) !Meaning |- |00 |No error (used internally to clear error flags from EEPROM) |- |01 | |- |02 |EEPROM Checksum failure |- |03 | |- |04 |RAM bad |- |05 |Harddrive not locked |- |06 |Unable to unlock Harddrive |- |07 |Harddrive unresponsive{{citation needed}} |- |08 |Harddrive missing |- |09 |Wrong Harddrive{{citation needed}} |- |10 |DVD Drive unresponsive |- |11 |DVD Drive missing |- |12 |Wrong DVD Drive{{citation needed}} |- |13 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (MainMenu) |- |14 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 1</code> (Error) |- |15 | |- |16 |Dashboard settings error{{citation needed}} |- |17 | |- |18 | |- |19 | |- |20 |Dashboard failed to launch, but DVD security check was successful |- |21 |Used to manually display fatal error after reboot (on purpose) |} 5f56c0b94d55a2704a4d26a6826687cb88221bb6 0 3711 5272 2017-05-22T12:30:23Z JayFoxRox 2 Created page with "HalReturnToFirmware is used to reboot the Xbox. The Xbox is also quick-rebooted to launch a new XBE." wikitext text/x-wiki HalReturnToFirmware is used to reboot the Xbox. The Xbox is also quick-rebooted to launch a new XBE. 0defce6bb2ccff9a21c9782c42457beecc5f311d 0 3709 5273 5268 2017-05-22T13:06:27Z JayFoxRox 2 Lots of new stuff wikitext text/x-wiki LaunchDataPage is a pointer to a memory page (4096 Bytes) which is persisted across reboots. The pointer might be <code>NULL</code> until the memory page is allocated. Allocation and persisting the page is responsibility of the application. <pre>struct { uint32_t launch_data_type; uint32_t title_id; char launch_path[520]; uint32_t flags; uint8_t pad[492]; uint32_t launch_data[3072]; }* LaunchDataPage;</pre> == Launch data == === Type 0x00000000: Switch to title === Will reboot to a new XBE. The data is application dependent. Official game demos should respect additional data: <pre>struct LaunchData00000000 { uint32_t id; uint32_t runmode; // 0x00000001 = Kiosk / 0x00000002 = Normal (user selected) uint32_t timeout; char launcher_xbe_path[64]; char title_xbe_path[64]; uint8_t padding[3072 - 140]; };</pre> === Type 0x00000001: Switch to dashboard === Will reboot to the [[Dashboard]]. <pre>struct LaunchData00000001 { uint32_t reason; uint32_t context; uint32_t parameters[2]; uint8_t padding[3072 - 16]; };</pre> {| class="wikitable" !<code>reason</code> !<code>parameters[0]</code> !<code>parameters[1]</code> !Note |- |0 = Show Dashboard | | |- |rowspan="5"|1 = Error |1 = Invalid XBE | | |- |2 = Invalid Harddrive | | |- |3 = Region | | |- |4 = Parental control | | |- |5 = Media type bad |Rating which caused this error | |- |2 = Savedata | | | |- |rowspan="5"|3 = Settings (flags) |0x01 = Clock | | |- |0x02 = Timezone | | |- |0x04 = Language | | |- |0x08 = Video | | |- |0x10 = Audio | | |- |4 = Music | | | |- |5 | | | |- |6 = Network Configuration | | | |- |7 = Create new account | | | |- |8 = MessageServerInfo | | | |- |rowspan="4"|9 = Show policies (flags) |0x01 = Subscription agreement | | |- |0x02 = Terms of use | | |- |0x04 = Code of conduct | | |- |0x08 = Privacy statement | | |- |10 = Online menu | | | |- |11 = Force change of account name | | | |- |12 = Force change of billing information | | | |} === Type 0x00000002: Switch from dashboard === This passes back the context which was originally passed to the dashboard. <pre>struct LaunchData00000002 { uint32_t context; uint8_t padding[3072 - 4]; };</pre> === Type 0x00000003: Run from debugger === <pre>struct LaunchData00000003 { char command_line[3072]; };</pre> === Type 0x00000004: Switch to title update === === Type 0x00000006: Switch from title update === <pre>struct LaunchData00000006 { uint32_t context; uint32_t hr; // Microsoft result code char padding[3072 - 8]; };</pre> === Type 0xFFFFFFFF: None === <code>launch_data</code> remains unused. 17573da13e0e913c794eb30959afd3253999e639 6 3712 5274 2017-05-22T13:11:52Z JayFoxRox 2 Xbox Fatal Error screen showing error 13 wikitext text/x-wiki Xbox Fatal Error screen showing error 13 6733e674c56d117a8e7fbd7a2c4714f7ca0f2afd 0 3710 5275 5271 2017-05-22T13:13:57Z JayFoxRox 2 Added screenshot wikitext text/x-wiki These are the errors which will be displayed [[File:Fatal_Error_13.png|300px|thumb|right|Fatal Error 13 being displayed]] {| class="wikitable" !Value (2 digit decimal) !Meaning |- |00 |No error (used internally to clear error flags from EEPROM) |- |01 | |- |02 |EEPROM Checksum failure |- |03 | |- |04 |RAM bad |- |05 |Harddrive not locked |- |06 |Unable to unlock Harddrive |- |07 |Harddrive unresponsive{{citation needed}} |- |08 |Harddrive missing |- |09 |Wrong Harddrive{{citation needed}} |- |10 |DVD Drive unresponsive |- |11 |DVD Drive missing |- |12 |Wrong DVD Drive{{citation needed}} |- |13 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (MainMenu) |- |14 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 1</code> (Error) |- |15 | |- |16 |Dashboard settings error{{citation needed}} |- |17 | |- |18 | |- |19 | |- |20 |Dashboard failed to launch, but DVD security check was successful |- |21 |Used to manually display fatal error after reboot (on purpose) |} 548c642ef346480aa2ac65d28dc8c4512a31fac2 0 3678 5276 5073 2017-05-22T13:16:41Z JayFoxRox 2 JayFoxRox moved page [[Operating System]] to [[Kernel]]: OS was too vague wikitext text/x-wiki == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only! |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] 8e56eb4e69266eef10a22ae30e06453ed1d75878 0 3713 5277 2017-05-22T13:16:41Z JayFoxRox 2 JayFoxRox moved page [[Operating System]] to [[Kernel]]: OS was too vague wikitext text/x-wiki #REDIRECT [[Kernel]] 28becd4c631146ed076fc578d2a51510c07a7972 0 3714 5278 2017-05-22T14:15:33Z JayFoxRox 2 Created page with "This is an unreleased game for the original Xbox. The same engine was to be used for [[Games/Rocket Power: Zero Gravity Zone]] and [[Games/Sonic Extreme]] [https://www.youtube..." wikitext text/x-wiki This is an unreleased game for the original Xbox. The same engine was to be used for [[Games/Rocket Power: Zero Gravity Zone]] and [[Games/Sonic Extreme]] [https://www.youtube.com/watch?v=H6lXV1YNjVA]. 4 versions of the game were released as "Digital Playset" for PC [https://www.youtube.com/watch?v=s4yIQkU5PZs]: * Tech Deck Dude Bare Knuckle Grind Fareast-Town * Tech Deck Dude Bare Knuckle Grind Down-Town * Tech Deck Dude Bare Knuckle Grind Freak-Town * Tech Deck Dude Bare Knuckle Grind Space-Town = Rocket Power: Zero Gravity Zone = https://www.unseen64.net/2009/10/14/rocket-power-zero-gravity-zone-ps2-xbox-gamecube-cancelled/| = Sonic Extreme = https://www.unseen64.net/2011/06/03/sonic-extreme-xbox-pitch-prototype/ 327c651eead23d790b8c677b09ae847e171c7fa1 5289 5278 2017-05-22T14:55:44Z JayFoxRox 2 wikitext text/x-wiki {{Game}} This is an unreleased game for the original Xbox. The same engine was to be used for [[Games/Rocket Power: Zero Gravity Zone]] and [[Games/Sonic Extreme]] [https://www.youtube.com/watch?v=H6lXV1YNjVA]. 4 versions of the game were released as "Digital Playset" for PC [https://www.youtube.com/watch?v=s4yIQkU5PZs]: * Tech Deck Dude Bare Knuckle Grind Fareast-Town * Tech Deck Dude Bare Knuckle Grind Down-Town * Tech Deck Dude Bare Knuckle Grind Freak-Town * Tech Deck Dude Bare Knuckle Grind Space-Town = Rocket Power: Zero Gravity Zone = https://www.unseen64.net/2009/10/14/rocket-power-zero-gravity-zone-ps2-xbox-gamecube-cancelled/| = Sonic Extreme = https://www.unseen64.net/2011/06/03/sonic-extreme-xbox-pitch-prototype/ 6e762a0ab72e8b68a0c48231c9c0f84b0ce33ea2 5290 5289 2017-05-22T14:56:01Z JayFoxRox 2 wikitext text/x-wiki {{Game}} This is an unreleased game for the original Xbox. The same engine was to be used for [[Rocket Power: Zero Gravity Zone]] and [[Sonic Extreme]] [https://www.youtube.com/watch?v=H6lXV1YNjVA]. 4 versions of the game were released as "Digital Playset" for PC [https://www.youtube.com/watch?v=s4yIQkU5PZs]: * Tech Deck Dude Bare Knuckle Grind Fareast-Town * Tech Deck Dude Bare Knuckle Grind Down-Town * Tech Deck Dude Bare Knuckle Grind Freak-Town * Tech Deck Dude Bare Knuckle Grind Space-Town = Rocket Power: Zero Gravity Zone = https://www.unseen64.net/2009/10/14/rocket-power-zero-gravity-zone-ps2-xbox-gamecube-cancelled/| = Sonic Extreme = https://www.unseen64.net/2011/06/03/sonic-extreme-xbox-pitch-prototype/ b3df2a519ae3625ad8d283c45e280f50601df6c0 5295 5290 2017-05-22T14:59:28Z JayFoxRox 2 JayFoxRox moved page [[Games/Tech Deck Dude Bare Knuckle Grind]] to [[Tech Deck Dude Bare Knuckle Grind]] without leaving a redirect wikitext text/x-wiki {{Game}} This is an unreleased game for the original Xbox. The same engine was to be used for [[Rocket Power: Zero Gravity Zone]] and [[Sonic Extreme]] [https://www.youtube.com/watch?v=H6lXV1YNjVA]. 4 versions of the game were released as "Digital Playset" for PC [https://www.youtube.com/watch?v=s4yIQkU5PZs]: * Tech Deck Dude Bare Knuckle Grind Fareast-Town * Tech Deck Dude Bare Knuckle Grind Down-Town * Tech Deck Dude Bare Knuckle Grind Freak-Town * Tech Deck Dude Bare Knuckle Grind Space-Town = Rocket Power: Zero Gravity Zone = https://www.unseen64.net/2009/10/14/rocket-power-zero-gravity-zone-ps2-xbox-gamecube-cancelled/| = Sonic Extreme = https://www.unseen64.net/2011/06/03/sonic-extreme-xbox-pitch-prototype/ b3df2a519ae3625ad8d283c45e280f50601df6c0 0 3715 5279 2017-05-22T14:17:54Z JayFoxRox 2 Redirected page to [[Games/Tech Deck Dude Bare Knuckle Grind#Rocket Power: Zero Gravity Zone]] wikitext text/x-wiki #REDIRECT [[Games/Tech Deck Dude Bare Knuckle Grind#Rocket_Power:_Zero_Gravity_Zone]] 374f657e3cdd20f36c578f70947e8a2e11e725d1 5296 5279 2017-05-22T14:59:53Z JayFoxRox 2 wikitext text/x-wiki {{Game}} #REDIRECT [[Tech Deck Dude Bare Knuckle Grind#Rocket_Power:_Zero_Gravity_Zone]] c6346ba7b37317c559623dde3f42eb62db5c02cc 5297 5296 2017-05-22T15:00:06Z JayFoxRox 2 Redirected page to [[Tech Deck Dude Bare Knuckle Grind#Rocket Power: Zero Gravity Zone]] wikitext text/x-wiki #REDIRECT [[Tech Deck Dude Bare Knuckle Grind#Rocket_Power:_Zero_Gravity_Zone]] {{Game}} f229b06b135e4dc33c9a90344f41ee1384743ade 5298 5297 2017-05-22T15:00:15Z JayFoxRox 2 JayFoxRox moved page [[Games/Rocket Power: Zero Gravity Zone]] to [[Rocket Power: Zero Gravity Zone]] without leaving a redirect wikitext text/x-wiki #REDIRECT [[Tech Deck Dude Bare Knuckle Grind#Rocket_Power:_Zero_Gravity_Zone]] {{Game}} f229b06b135e4dc33c9a90344f41ee1384743ade 0 3716 5280 2017-05-22T14:18:25Z JayFoxRox 2 Redirected page to [[Games/Tech Deck Dude Bare Knuckle Grind#Sonic Extreme]] wikitext text/x-wiki #REDIRECT [[Games/Tech Deck Dude Bare Knuckle Grind#Sonic Extreme]] 55fa15317ca7a915f9541a7d6cb316a6081f771b 5299 5280 2017-05-22T15:00:43Z JayFoxRox 2 Redirected page to [[Tech Deck Dude Bare Knuckle Grind#Sonic Extreme]] wikitext text/x-wiki #REDIRECT [[Tech Deck Dude Bare Knuckle Grind#Sonic Extreme]] {{Game}} be054a6c6228c4b1c4c9fc06a957d92f9253eebb 5300 5299 2017-05-22T15:00:52Z JayFoxRox 2 JayFoxRox moved page [[Games/Sonic Extreme]] to [[Sonic Extreme]] without leaving a redirect wikitext text/x-wiki #REDIRECT [[Tech Deck Dude Bare Knuckle Grind#Sonic Extreme]] {{Game}} be054a6c6228c4b1c4c9fc06a957d92f9253eebb 10 3717 5281 2017-05-22T14:39:39Z JayFoxRox 2 Creating game template wikitext text/x-wiki [[Category:Games]] 1f0be2923d4179a065c9d4a005a02daf12dcb217 5283 5281 2017-05-22T14:40:38Z JayFoxRox 2 wikitext text/x-wiki <includeonly>[[Category:Games]]</includeonly> 98267a1cda85ccefc1e1edc9468d14dde779218d 0 3685 5282 5046 2017-05-22T14:40:04Z JayFoxRox 2 Testing template wikitext text/x-wiki {{Game}} === Known tricky behaviour === ==== Skinning code / Shader rounding mode ==== This game depends on correct GPU rounding. If an emulator suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation the character models will be very broken. [[File:http://i.imgur.com/tpmLpjP.png]] IIRC Code is like: A0 = c[113].x + c[113].z = 18 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].x + c[113].z = 21 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].y * v2 *do stuff with c[96+A0] to c[98+A0]* c[113] is vec4(15, 765, 3, 0). 765 = 3*255. v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255. A0 = 765 * raw/255 = 3*raw. This should all be working, but it's not. [[NV2A/Vertex Shader]] does round-to-zero. Behaviour for GLSL and other modern graphic APIs is undefined.. To work around this rounding issue <code>A0 += 1.0/255.0</code> can be used as a temporary hack 7d2e3cd84529b1b599bbd444d77ac2b8fbc72cf1 5284 5282 2017-05-22T14:48:07Z JayFoxRox 2 JayFoxRox moved page [[Games/Azurik: Rise of Perathia]] to [[Game:Azurik: Rise of Perathia]] wikitext text/x-wiki {{Game}} === Known tricky behaviour === ==== Skinning code / Shader rounding mode ==== This game depends on correct GPU rounding. If an emulator suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation the character models will be very broken. [[File:http://i.imgur.com/tpmLpjP.png]] IIRC Code is like: A0 = c[113].x + c[113].z = 18 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].x + c[113].z = 21 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].y * v2 *do stuff with c[96+A0] to c[98+A0]* c[113] is vec4(15, 765, 3, 0). 765 = 3*255. v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255. A0 = 765 * raw/255 = 3*raw. This should all be working, but it's not. [[NV2A/Vertex Shader]] does round-to-zero. Behaviour for GLSL and other modern graphic APIs is undefined.. To work around this rounding issue <code>A0 += 1.0/255.0</code> can be used as a temporary hack 7d2e3cd84529b1b599bbd444d77ac2b8fbc72cf1 5291 5284 2017-05-22T14:56:51Z JayFoxRox 2 JayFoxRox moved page [[Game:Azurik: Rise of Perathia]] to [[Azurik: Rise of Perathia]] without leaving a redirect wikitext text/x-wiki {{Game}} === Known tricky behaviour === ==== Skinning code / Shader rounding mode ==== This game depends on correct GPU rounding. If an emulator suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation the character models will be very broken. [[File:http://i.imgur.com/tpmLpjP.png]] IIRC Code is like: A0 = c[113].x + c[113].z = 18 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].x + c[113].z = 21 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].y * v2 *do stuff with c[96+A0] to c[98+A0]* c[113] is vec4(15, 765, 3, 0). 765 = 3*255. v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255. A0 = 765 * raw/255 = 3*raw. This should all be working, but it's not. [[NV2A/Vertex Shader]] does round-to-zero. Behaviour for GLSL and other modern graphic APIs is undefined.. To work around this rounding issue <code>A0 += 1.0/255.0</code> can be used as a temporary hack 7d2e3cd84529b1b599bbd444d77ac2b8fbc72cf1 5292 5291 2017-05-22T14:57:05Z JayFoxRox 2 wikitext text/x-wiki {{Game}} === Known tricky behaviour === ==== Skinning code / Shader rounding mode ==== This game depends on correct GPU rounding. If an emulator suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation the character models will be very broken. [[File:http://i.imgur.com/tpmLpjP.png]] IIRC Code is like: A0 = c[113].x + c[113].z = 18 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].x + c[113].z = 21 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].y * v2 *do stuff with c[96+A0] to c[98+A0]* c[113] is vec4(15, 765, 3, 0). 765 = 3*255. v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255. A0 = 765 * raw/255 = 3*raw. This should all be working, but it's not. [[NV2A/Vertex Shader]] does round-to-zero. Behaviour for GLSL and other modern graphic APIs is undefined.. To work around this rounding issue <code>A0 += 1.0/255.0</code> can be used as a temporary hack 52cf39fb9b30a86a6afac881d59542ea74b16e81 0 13 5286 30 2017-05-22T14:52:33Z JayFoxRox 2 JayFoxRox moved page [[Games/Tony Hawk's Pro Skater 2x]] to [[Tony Hawk's Pro Skater 2x]] without leaving a redirect wikitext text/x-wiki == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version ==== World ==== ==== Skater ==== Shader: <code> /* Slot 0: 0x00000000 0x00320000 0x0C36106C 0x21200FF8 */ MOV(R2,w, c[144].x); /* Slot 1: 0x00000000 0x005600FF 0x2554186C 0x21300FF8 */ MUL(R3,w, R2.w, c[176].z); /* Slot 2: 0x00000000 0x00960000 0x0C3413FC 0xDE400FF8 */ MAD(R4,xyz, c[176].x, v0.xyz, R3.w); /* Slot 3: 0x00000000 0x007002AA 0x0C361400 0x28500FF8 */ ADD(R5,x, c[128].z, -v1.x); /* Slot 4: 0x00000000 0x0ACC001B 0x0836186D 0x18640FF8 */ DPH(R6,x, v0, c[96]); EXP(R1,y, R4.x); /* Slot 5: 0x00000000 0x00CC201B 0x0836186C 0x24600FF8 */ DPH(R6,y, v0, c[97]); /* Slot 6: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 7: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 8: 0x00000000 0x00B0801A 0x1436186C 0x28700FF8 */ DP3(R7,x, R1.xyz, c[132]); /* Slot 9: 0x00000000 0x0ACC401B 0x08361955 0x12640FF8 */ DPH(R6,z, v0, c[98]); EXP(R1,y, R4.y); /* Slot 10: 0x00000000 0x00CC601B 0x0836186C 0x28800FF8 */ DPH(R8,x, v0, c[99]); /* Slot 11: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 12: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 13: 0x00000000 0x00B0801A 0x1436186C 0x24700FF8 */ DP3(R7,y, R1.xyz, c[132]); /* Slot 14: 0x00000000 0x0ACC801B 0x08361AA9 0x14840FF8 */ DPH(R8,y, v0, c[100]); EXP(R1,y, R4.z); /* Slot 15: 0x00000000 0x00CCA01B 0x0836186C 0x22800FF8 */ DPH(R8,z, v0, c[101]); /* Slot 16: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 17: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 18: 0x00000000 0x00B0801A 0x1436186C 0x22700FF8 */ DP3(R7,z, R1.xyz, c[132]); /* Slot 19: 0x00000000 0x0040021A 0x6400106C 0x2E900FF8 */ MUL(R9,xyz, R6.xyz, v1.x); /* Slot 20: 0x00000000 0x0080001A 0x8400A86A 0x5EA00FF8 */ MAD(R10,xyz, R8.xyz, R5.x, R9.xyz); /* Slot 21: 0x00000000 0x00560655 0x08AA186C 0x21B00FF8 */ MUL(R11,w, v3.y, c[176].y); /* Slot 22: 0x00000000 0x005780FF 0xB5FE186C 0x21000FF8 */ MUL(R0,w, R11.w, c[188].w); /* Slot 23: 0x00000000 0x0080001A 0x75FE086A 0x9E200FF8 */ MAD(R2,xyz, R7.xyz, R0.w, R10.xyz); /* Slot 24: 0x00000000 0x0097871A 0x0D541068 0x9E300FF8 */ MAD(R3,xyz, -c[188].xyz, v3.z, R2.xyz); /* Slot 25: 0x00000000 0x00AC041B 0x0836186C 0x28400FF8 */ DP3(R4,x, v2, c[96]); /* Slot 26: 0x00000000 0x00AC241B 0x0836186C 0x24400FF8 */ DP3(R4,y, v2, c[97]); /* Slot 27: 0x00000000 0x00AC441B 0x0836186C 0x22400FF8 */ DP3(R4,z, v2, c[98]); /* Slot 28: 0x00000000 0x00AC641B 0x0836186C 0x28600FF8 */ DP3(R6,x, v2, c[99]); /* Slot 29: 0x00000000 0x00AC841B 0x0836186C 0x24600FF8 */ DP3(R6,y, v2, c[100]); /* Slot 30: 0x00000000 0x00ACA41B 0x0836186C 0x22600FF8 */ DP3(R6,z, v2, c[101]); /* Slot 31: 0x00000000 0x0040021A 0x4400106C 0x2E700FF8 */ MUL(R7,xyz, R4.xyz, v1.x); /* Slot 32: 0x00000000 0x0080001A 0x6400A869 0xDE800FF8 */ MAD(R8,xyz, R6.xyz, R5.x, R7.xyz); /* Slot 33: 0x00000000 0x00CEA01B 0x3436186C 0x20708800 */ DPH(oPos,x, R3, c[117]); /* Slot 34: 0x00000000 0x00CEC01B 0x3436186C 0x20704800 */ DPH(oPos,y, R3, c[118]); /* Slot 35: 0x00000000 0x00CEE01B 0x3436186C 0x20702800 */ DPH(oPos,z, R3, c[119]); /* Slot 36: 0x00000000 0x00CF001B 0x3436186C 0x20701800 */ DPH(oPos,w, R3, c[120]); /* Slot 37: 0x00000000 0x00A0001A 0x8435086C 0x21800FF8 */ DP3(R8,w, R8.xyz, R8.xyz); /* Slot 38: 0x00000000 0x00CD321B 0x0836186C 0x20708848 */ DPH(oT0,x, v9, c[105]); /* Slot 39: 0x00000000 0x0833401B 0x0C3613FE 0x1F910FF8 */ MOV(R9,xyzw, c[154]); RSQ(R1,w, R8.w); /* Slot 40: 0x00000000 0x00CD521B 0x0836186C 0x20704848 */ DPH(oT0,y, v9, c[106]); /* Slot 41: 0x00000000 0x0040001A 0x85FE286C 0x2EA00FF8 */ MUL(R10,xyz, R8.xyz, R1.w); /* Slot 42: 0x00000000 0x00B3001B 0xA636186C 0x28B00FF8 */ DP3(R11,x, R10, -c[152]); /* Slot 43: 0x00000000 0x00B3201B 0xA636186C 0x24B00FF8 */ DP3(R11,y, R10, -c[153]); /* Slot 44: 0x00000000 0x00CF001B 0x3436186C 0x20708828 */ DPH(oFog,x, R3, c[120]); /* Slot 45: 0x00000000 0x01500015 0xB400186C 0x2C000FF8 */ MAX(R0,xy, R11.xy, c[128].x); /* Slot 46: 0x00000000 0x00936000 0x0436186E 0x5F200FF8 */ MAD(R2,xyzw, R0.x, c[155], R9); /* Slot 47: 0x00000000 0x00938055 0x0436186C 0x9F300FF8 */ MAD(R3,xyzw, R0.y, c[156], R2); /* Slot 48: 0x00000000 0x0647401B 0xC4361BFF 0x1078E800 */ MUL(oPos,xyz, R12, c[58]); RCC(R1,x, R12.w); /* Slot 49: 0x00000000 0x0057401B 0x3436186C 0x2070F818 */ MUL(oD0,xyzw, R3, c[186]); /* Slot 50: 0x00000000 0x0087601B 0xC400286C 0x3070E801 */ MAD(oPos,xyz, R12, R1.x, c[59]); </code> ==== HUD ==== ==== Shadow ==== ===== Skater ===== Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ====== Shader ====== <code> /* Slot 0: 0x00000000 0x007002AA 0x0C361400 0x28200FF8 */ ADD(R2,x, c[128].z, -v1.x); /* Slot 1: 0x00000000 0x00CC001B 0x0836186C 0x28300FF8 */ DPH(R3,x, v0, c[96]); /* Slot 2: 0x00000000 0x00CC201B 0x0836186C 0x24300FF8 */ DPH(R3,y, v0, c[97]); /* Slot 3: 0x00000000 0x00CC401B 0x0836186C 0x22300FF8 */ DPH(R3,z, v0, c[98]); /* Slot 4: 0x00000000 0x00CC601B 0x0836186C 0x28400FF8 */ DPH(R4,x, v0, c[99]); /* Slot 5: 0x00000000 0x00CC801B 0x0836186C 0x24400FF8 */ DPH(R4,y, v0, c[100]); /* Slot 6: 0x00000000 0x00CCA01B 0x0836186C 0x22400FF8 */ DPH(R4,z, v0, c[101]); /* Slot 7: 0x00000000 0x0040021A 0x3400106C 0x2E500FF8 */ MUL(R5,xyz, R3.xyz, v1.x); /* Slot 8: 0x00000000 0x0080001A 0x44004869 0x5E600FF8 */ MAD(R6,xyz, R4.xyz, R2.x, R5.xyz); /* Slot 9: 0x00000000 0x00CEA01B 0x6436186C 0x20708800 */ DPH(oPos,x, R6, c[117]); /* Slot 10: 0x00000000 0x00CEC01B 0x6436186C 0x20704800 */ DPH(oPos,y, R6, c[118]); /* Slot 11: 0x00000000 0x00CEE01B 0x6436186C 0x20702800 */ DPH(oPos,z, R6, c[119]); /* Slot 12: 0x00000000 0x00CF001B 0x6436186C 0x20701800 */ DPH(oPos,w, R6, c[120]); /* Slot 13: 0x00000000 0x0647401B 0xC4361BFF 0x1078E800 */ MUL(oPos,xyz, R12, c[58]); RCC(R1,x, R12.w); /* Slot 14: 0x00000000 0x0087601B 0xC400286C 0x3070E801 */ MAD(oPos,xyz, R12, R1.x, c[59]); </code> 8383f255d00fa5f862293f7f8d4923302f02f5fa 5302 5286 2017-05-22T15:04:50Z JayFoxRox 2 wikitext text/x-wiki {{Game}} == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version ==== World ==== ==== Skater ==== Shader: <code> /* Slot 0: 0x00000000 0x00320000 0x0C36106C 0x21200FF8 */ MOV(R2,w, c[144].x); /* Slot 1: 0x00000000 0x005600FF 0x2554186C 0x21300FF8 */ MUL(R3,w, R2.w, c[176].z); /* Slot 2: 0x00000000 0x00960000 0x0C3413FC 0xDE400FF8 */ MAD(R4,xyz, c[176].x, v0.xyz, R3.w); /* Slot 3: 0x00000000 0x007002AA 0x0C361400 0x28500FF8 */ ADD(R5,x, c[128].z, -v1.x); /* Slot 4: 0x00000000 0x0ACC001B 0x0836186D 0x18640FF8 */ DPH(R6,x, v0, c[96]); EXP(R1,y, R4.x); /* Slot 5: 0x00000000 0x00CC201B 0x0836186C 0x24600FF8 */ DPH(R6,y, v0, c[97]); /* Slot 6: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 7: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 8: 0x00000000 0x00B0801A 0x1436186C 0x28700FF8 */ DP3(R7,x, R1.xyz, c[132]); /* Slot 9: 0x00000000 0x0ACC401B 0x08361955 0x12640FF8 */ DPH(R6,z, v0, c[98]); EXP(R1,y, R4.y); /* Slot 10: 0x00000000 0x00CC601B 0x0836186C 0x28800FF8 */ DPH(R8,x, v0, c[99]); /* Slot 11: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 12: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 13: 0x00000000 0x00B0801A 0x1436186C 0x24700FF8 */ DP3(R7,y, R1.xyz, c[132]); /* Slot 14: 0x00000000 0x0ACC801B 0x08361AA9 0x14840FF8 */ DPH(R8,y, v0, c[100]); EXP(R1,y, R4.z); /* Slot 15: 0x00000000 0x00CCA01B 0x0836186C 0x22800FF8 */ DPH(R8,z, v0, c[101]); /* Slot 16: 0x00000000 0x00400055 0x14AA286C 0x28100FF8 */ MUL(R1,x, R1.y, R1.y); /* Slot 17: 0x00000000 0x00400000 0x14AA286C 0x22100FF8 */ MUL(R1,z, R1.x, R1.y); /* Slot 18: 0x00000000 0x00B0801A 0x1436186C 0x22700FF8 */ DP3(R7,z, R1.xyz, c[132]); /* Slot 19: 0x00000000 0x0040021A 0x6400106C 0x2E900FF8 */ MUL(R9,xyz, R6.xyz, v1.x); /* Slot 20: 0x00000000 0x0080001A 0x8400A86A 0x5EA00FF8 */ MAD(R10,xyz, R8.xyz, R5.x, R9.xyz); /* Slot 21: 0x00000000 0x00560655 0x08AA186C 0x21B00FF8 */ MUL(R11,w, v3.y, c[176].y); /* Slot 22: 0x00000000 0x005780FF 0xB5FE186C 0x21000FF8 */ MUL(R0,w, R11.w, c[188].w); /* Slot 23: 0x00000000 0x0080001A 0x75FE086A 0x9E200FF8 */ MAD(R2,xyz, R7.xyz, R0.w, R10.xyz); /* Slot 24: 0x00000000 0x0097871A 0x0D541068 0x9E300FF8 */ MAD(R3,xyz, -c[188].xyz, v3.z, R2.xyz); /* Slot 25: 0x00000000 0x00AC041B 0x0836186C 0x28400FF8 */ DP3(R4,x, v2, c[96]); /* Slot 26: 0x00000000 0x00AC241B 0x0836186C 0x24400FF8 */ DP3(R4,y, v2, c[97]); /* Slot 27: 0x00000000 0x00AC441B 0x0836186C 0x22400FF8 */ DP3(R4,z, v2, c[98]); /* Slot 28: 0x00000000 0x00AC641B 0x0836186C 0x28600FF8 */ DP3(R6,x, v2, c[99]); /* Slot 29: 0x00000000 0x00AC841B 0x0836186C 0x24600FF8 */ DP3(R6,y, v2, c[100]); /* Slot 30: 0x00000000 0x00ACA41B 0x0836186C 0x22600FF8 */ DP3(R6,z, v2, c[101]); /* Slot 31: 0x00000000 0x0040021A 0x4400106C 0x2E700FF8 */ MUL(R7,xyz, R4.xyz, v1.x); /* Slot 32: 0x00000000 0x0080001A 0x6400A869 0xDE800FF8 */ MAD(R8,xyz, R6.xyz, R5.x, R7.xyz); /* Slot 33: 0x00000000 0x00CEA01B 0x3436186C 0x20708800 */ DPH(oPos,x, R3, c[117]); /* Slot 34: 0x00000000 0x00CEC01B 0x3436186C 0x20704800 */ DPH(oPos,y, R3, c[118]); /* Slot 35: 0x00000000 0x00CEE01B 0x3436186C 0x20702800 */ DPH(oPos,z, R3, c[119]); /* Slot 36: 0x00000000 0x00CF001B 0x3436186C 0x20701800 */ DPH(oPos,w, R3, c[120]); /* Slot 37: 0x00000000 0x00A0001A 0x8435086C 0x21800FF8 */ DP3(R8,w, R8.xyz, R8.xyz); /* Slot 38: 0x00000000 0x00CD321B 0x0836186C 0x20708848 */ DPH(oT0,x, v9, c[105]); /* Slot 39: 0x00000000 0x0833401B 0x0C3613FE 0x1F910FF8 */ MOV(R9,xyzw, c[154]); RSQ(R1,w, R8.w); /* Slot 40: 0x00000000 0x00CD521B 0x0836186C 0x20704848 */ DPH(oT0,y, v9, c[106]); /* Slot 41: 0x00000000 0x0040001A 0x85FE286C 0x2EA00FF8 */ MUL(R10,xyz, R8.xyz, R1.w); /* Slot 42: 0x00000000 0x00B3001B 0xA636186C 0x28B00FF8 */ DP3(R11,x, R10, -c[152]); /* Slot 43: 0x00000000 0x00B3201B 0xA636186C 0x24B00FF8 */ DP3(R11,y, R10, -c[153]); /* Slot 44: 0x00000000 0x00CF001B 0x3436186C 0x20708828 */ DPH(oFog,x, R3, c[120]); /* Slot 45: 0x00000000 0x01500015 0xB400186C 0x2C000FF8 */ MAX(R0,xy, R11.xy, c[128].x); /* Slot 46: 0x00000000 0x00936000 0x0436186E 0x5F200FF8 */ MAD(R2,xyzw, R0.x, c[155], R9); /* Slot 47: 0x00000000 0x00938055 0x0436186C 0x9F300FF8 */ MAD(R3,xyzw, R0.y, c[156], R2); /* Slot 48: 0x00000000 0x0647401B 0xC4361BFF 0x1078E800 */ MUL(oPos,xyz, R12, c[58]); RCC(R1,x, R12.w); /* Slot 49: 0x00000000 0x0057401B 0x3436186C 0x2070F818 */ MUL(oD0,xyzw, R3, c[186]); /* Slot 50: 0x00000000 0x0087601B 0xC400286C 0x3070E801 */ MAD(oPos,xyz, R12, R1.x, c[59]); </code> ==== HUD ==== ==== Shadow ==== ===== Skater ===== Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ====== Shader ====== <code> /* Slot 0: 0x00000000 0x007002AA 0x0C361400 0x28200FF8 */ ADD(R2,x, c[128].z, -v1.x); /* Slot 1: 0x00000000 0x00CC001B 0x0836186C 0x28300FF8 */ DPH(R3,x, v0, c[96]); /* Slot 2: 0x00000000 0x00CC201B 0x0836186C 0x24300FF8 */ DPH(R3,y, v0, c[97]); /* Slot 3: 0x00000000 0x00CC401B 0x0836186C 0x22300FF8 */ DPH(R3,z, v0, c[98]); /* Slot 4: 0x00000000 0x00CC601B 0x0836186C 0x28400FF8 */ DPH(R4,x, v0, c[99]); /* Slot 5: 0x00000000 0x00CC801B 0x0836186C 0x24400FF8 */ DPH(R4,y, v0, c[100]); /* Slot 6: 0x00000000 0x00CCA01B 0x0836186C 0x22400FF8 */ DPH(R4,z, v0, c[101]); /* Slot 7: 0x00000000 0x0040021A 0x3400106C 0x2E500FF8 */ MUL(R5,xyz, R3.xyz, v1.x); /* Slot 8: 0x00000000 0x0080001A 0x44004869 0x5E600FF8 */ MAD(R6,xyz, R4.xyz, R2.x, R5.xyz); /* Slot 9: 0x00000000 0x00CEA01B 0x6436186C 0x20708800 */ DPH(oPos,x, R6, c[117]); /* Slot 10: 0x00000000 0x00CEC01B 0x6436186C 0x20704800 */ DPH(oPos,y, R6, c[118]); /* Slot 11: 0x00000000 0x00CEE01B 0x6436186C 0x20702800 */ DPH(oPos,z, R6, c[119]); /* Slot 12: 0x00000000 0x00CF001B 0x6436186C 0x20701800 */ DPH(oPos,w, R6, c[120]); /* Slot 13: 0x00000000 0x0647401B 0xC4361BFF 0x1078E800 */ MUL(oPos,xyz, R12, c[58]); RCC(R1,x, R12.w); /* Slot 14: 0x00000000 0x0087601B 0xC400286C 0x3070E801 */ MAD(oPos,xyz, R12, R1.x, c[59]); </code> 80eabe4335b139faf09d0512c6488c6b73a4ff07 0 14 5287 5211 2017-05-22T14:52:56Z JayFoxRox 2 JayFoxRox moved page [[Games/Kung Fu Chaos]] to [[Kung Fu Chaos]] without leaving a redirect wikitext text/x-wiki == Fullscreen blit shader == <pre> v0.xy { {0,0} {0,1} {1,1} {1,0} } surfaceSize = {640,480} clipRange = {0,16777215} c[58] = { 320, -240, 16777215, 0 } c[59] = { 320.53125, 240.53125, 0, 0} c[100] = { 640, 480, 0, 5.06639553e-05} c[101] = { 0, 0, 0, 1} c[102] = {1/320, -1/240, 1, 1} c[103] = { 1, -1, 0, 0} c[104] = { 0, 0, 0, 0} c[105] = { 320, -240, 16777215, 0 } c[106] = { 320.53125, 240.53125, 0, 0} /* Slot 0: 0x00000000 0x002D001B 0x0C36106C 0x28200FF8 */ // R2.x = 0.0; MOV(R2,x, c[104]); /* Slot 1: 0x00000000 0x002CC01B 0x0C36106C 0x2F900FF8 */ // R9 = {1/320, -1/240, 1, 1} MOV(R9,xyzw, c[102]); /* Slot 2: 0x00000000 0x024CE200 0x2636186C 0x2C50F81C */ // R5.xy = R2.x * { -1, +1 } // -> R5.xy = 0.0 .. FIXME: This makes no sense? R2.x was just set to zero?! [from C104.x !!] // oD0 = v1 MUL(R5,xy, R2.x, -c[103]); MOV(oD0,xyzw, v1); /* Slot 3: 0x00000000 0x006CC0AA 0x0C36146C 0x98300FF8 */ ADD(R3,x, c[102].z, -R2); // -> R3.x = C[102].z = 1.0 /* Slot 4: 0x00000000 0x008CC000 0x242A1800 0xDC400FF8 */ MAD(R4,xy, R2.x, c[102].xy, R3.x); // -> R4.xy = R3.xx = {1,1} /* Slot 5: 0x00000000 0x008D2000 0x242A1800 0xDC600FF8 */ MAD(R6,xy, R2.x, c[105].xy, R3.x); // -> R6.xy = R3.xx = {1,1} /* Slot 6: 0x00000000 0x004D4000 0x242A186C 0x2C700FF8 */ MUL(R7,xy, R2.x, c[106].xy); // -> R7.xy = 0.0 /* Slot 7: 0x00000000 0x0080041B 0x0836886D 0x5C800FF8 */ MAD(R8,xy, v2, R4, R5); // -> R8 = v2 * R4 = v2 oT0.xy = R8 * R6 + R7 // -> v2 oT1.xy = R8 * R6 + R7 // -> v2 /* Slot 8: 0x00000000 0x004CA01A 0x0C37286C 0x2FA00FF8 */ MUL(R10,xyzw, c[101].xyz, R9); /* Slot 11: 0x00000000 0x006CE01B 0xA436146C 0x3070F800 */ ADD(oPos,xyzw, R10, -c[103]); /* Slot 12: 0x00000000 0x004C8015 0x942A186C 0x2CB00FF8 */ MUL(R11,xy, R9.xy, c[100].xy); /* Slot 13: 0x00000000 0x00800015 0x082B6857 0x1070C800 */ MAD(oPos,xy, v0.xy, R11.xy, R12.xy); SET FOG: /* Slot 14: 0x00000000 0x004C80FF 0x0DFF886C 0x20708828 */ MUL(oFog,x, c[100].w, R12.w); DO VIEWPORT TRANSFORM: /* Slot 15: 0x00000000 0x0047401B 0xC436186C 0x2070C800 */ MUL(oPos,xy, R12, c[58]); /* Slot 16: 0x00000000 0x0067601B 0xC436106C 0x3070C801 */ ADD(oPos,xy, R12, c[59]); SPACE CONVERSION [XQEMU only]: if (oPos.w == 0.0 || isinf(oPos.w)) { vtx.inv_w = 1.0; } else { vtx.inv_w = 1.0 / oPos.w; } oPos.x = 2.0 * (oPos.x - surfaceSize.x * 0.5) / surfaceSize.x; oPos.y = -2.0 * (oPos.y - surfaceSize.y * 0.5) / surfaceSize.y; if (clipRange.y != clipRange.x) { oPos.z = (oPos.z - 0.5 * (clipRange.x + clipRange.y)) / (0.5 * (clipRange.y - clipRange.x)); } if (oPos.w <= 0.0) { oPos.xyz *= oPos.w; } else { oPos.w = 1.0; } /* Make the world a happy place! */ #if 1 oFog.xyzw = vec4(1.0); oPos.xy = v0.xy; oPos.y *= -1.0; oPos.z = 0.5; oPos.w = 1.0; vtx.inv_w = 1.0; #endif </pre> 8d488ea3b212db3fc0de6cc913976ea14d31e31d 5303 5287 2017-05-22T15:05:22Z JayFoxRox 2 wikitext text/x-wiki {{Game}} == Fullscreen blit shader == <pre> v0.xy { {0,0} {0,1} {1,1} {1,0} } surfaceSize = {640,480} clipRange = {0,16777215} c[58] = { 320, -240, 16777215, 0 } c[59] = { 320.53125, 240.53125, 0, 0} c[100] = { 640, 480, 0, 5.06639553e-05} c[101] = { 0, 0, 0, 1} c[102] = {1/320, -1/240, 1, 1} c[103] = { 1, -1, 0, 0} c[104] = { 0, 0, 0, 0} c[105] = { 320, -240, 16777215, 0 } c[106] = { 320.53125, 240.53125, 0, 0} /* Slot 0: 0x00000000 0x002D001B 0x0C36106C 0x28200FF8 */ // R2.x = 0.0; MOV(R2,x, c[104]); /* Slot 1: 0x00000000 0x002CC01B 0x0C36106C 0x2F900FF8 */ // R9 = {1/320, -1/240, 1, 1} MOV(R9,xyzw, c[102]); /* Slot 2: 0x00000000 0x024CE200 0x2636186C 0x2C50F81C */ // R5.xy = R2.x * { -1, +1 } // -> R5.xy = 0.0 .. FIXME: This makes no sense? R2.x was just set to zero?! [from C104.x !!] // oD0 = v1 MUL(R5,xy, R2.x, -c[103]); MOV(oD0,xyzw, v1); /* Slot 3: 0x00000000 0x006CC0AA 0x0C36146C 0x98300FF8 */ ADD(R3,x, c[102].z, -R2); // -> R3.x = C[102].z = 1.0 /* Slot 4: 0x00000000 0x008CC000 0x242A1800 0xDC400FF8 */ MAD(R4,xy, R2.x, c[102].xy, R3.x); // -> R4.xy = R3.xx = {1,1} /* Slot 5: 0x00000000 0x008D2000 0x242A1800 0xDC600FF8 */ MAD(R6,xy, R2.x, c[105].xy, R3.x); // -> R6.xy = R3.xx = {1,1} /* Slot 6: 0x00000000 0x004D4000 0x242A186C 0x2C700FF8 */ MUL(R7,xy, R2.x, c[106].xy); // -> R7.xy = 0.0 /* Slot 7: 0x00000000 0x0080041B 0x0836886D 0x5C800FF8 */ MAD(R8,xy, v2, R4, R5); // -> R8 = v2 * R4 = v2 oT0.xy = R8 * R6 + R7 // -> v2 oT1.xy = R8 * R6 + R7 // -> v2 /* Slot 8: 0x00000000 0x004CA01A 0x0C37286C 0x2FA00FF8 */ MUL(R10,xyzw, c[101].xyz, R9); /* Slot 11: 0x00000000 0x006CE01B 0xA436146C 0x3070F800 */ ADD(oPos,xyzw, R10, -c[103]); /* Slot 12: 0x00000000 0x004C8015 0x942A186C 0x2CB00FF8 */ MUL(R11,xy, R9.xy, c[100].xy); /* Slot 13: 0x00000000 0x00800015 0x082B6857 0x1070C800 */ MAD(oPos,xy, v0.xy, R11.xy, R12.xy); SET FOG: /* Slot 14: 0x00000000 0x004C80FF 0x0DFF886C 0x20708828 */ MUL(oFog,x, c[100].w, R12.w); DO VIEWPORT TRANSFORM: /* Slot 15: 0x00000000 0x0047401B 0xC436186C 0x2070C800 */ MUL(oPos,xy, R12, c[58]); /* Slot 16: 0x00000000 0x0067601B 0xC436106C 0x3070C801 */ ADD(oPos,xy, R12, c[59]); SPACE CONVERSION [XQEMU only]: if (oPos.w == 0.0 || isinf(oPos.w)) { vtx.inv_w = 1.0; } else { vtx.inv_w = 1.0 / oPos.w; } oPos.x = 2.0 * (oPos.x - surfaceSize.x * 0.5) / surfaceSize.x; oPos.y = -2.0 * (oPos.y - surfaceSize.y * 0.5) / surfaceSize.y; if (clipRange.y != clipRange.x) { oPos.z = (oPos.z - 0.5 * (clipRange.x + clipRange.y)) / (0.5 * (clipRange.y - clipRange.x)); } if (oPos.w <= 0.0) { oPos.xyz *= oPos.w; } else { oPos.w = 1.0; } /* Make the world a happy place! */ #if 1 oFog.xyzw = vec4(1.0); oPos.xy = v0.xy; oPos.y *= -1.0; oPos.z = 0.5; oPos.w = 1.0; vtx.inv_w = 1.0; #endif </pre> 8f881a1f86dee5ad5e2134cb605a10df75f54205 0 3706 5288 5244 2017-05-22T14:54:25Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] f8947836c54ea266e143b40ea0dd3b9cc29ad8a3 14 3719 5293 2017-05-22T14:57:23Z JayFoxRox 2 Created blank page wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 1 5294 5248 2017-05-22T14:59:10Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] ** [[DVD Drive]] ** [[Hard Drive]] ** [[USB]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[Xbox Debug Monitor]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] [[:Category:Games|Games]] * [[Engine List]] Emulation * [[Emulators]] Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 7c1e95a71ded73be3507ffc66852d442ac74632a 0 4 5301 5262 2017-05-22T15:03:15Z JayFoxRox 2 wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | [[Far Cry Instincts]] | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | [[Far Cry Instincts: Evolution]] | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !width="11%"| Title !width="9%"| Year !width="15%"| Platform !width="30%"| Publisher/Developer |- | [[AFL Live 2003]] | 2002 | PlayStation 2, Xbox | IR Gurus |- | [[AFL Live 2004]] | 2003 | PlayStation 2, Xbox | IR Gurus |- | [[AFL Live Premiership Edition]] | 2004 | PlayStation 2, Xbox | IR Gurus |- | Battlefield 2: Modern Combat | 2005 | PlayStation 2, Xbox, Xbox 360 | Digital Illusions CE |- | Black | 2006 | PlayStation 2, Xbox, | Criterion Games/Electronic Arts |- | Blitz: The League | 2005 | PlayStation 2, Xbox | Midway Games |- | Broken Sword: The Sleeping Dragon | 2003 | PlayStation 2, PC, Xbox | The Adventure Company, THQ |- | Burnout | 2001 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 2: Point of Impact | 2002 | GameCube, PlayStation 2, Xbox | Criterion Games/Acclaim Entertainment |- | Burnout 3: Takedown | 2004 | PlayStation 2, Xbox | Criterion Games/Electronic Arts |- | Burnout Revenge | 2005 | PlayStation 2, Xbox, Xbox 360 | Criterion Games/Electronic Arts |- | Call of Duty: Finest Hour | 2004 | GameCube, PlayStation 2, Xbox | Activision Publishing |- | Cold Fear | 2005 | PlayStation 2, Xbox, PC | Darkworks, Ubisoft |- | Commandos: Strike Force | 2006 | PlayStation 2, PC, Xbox | Eidos Interactive |- | Darkwatch | 2005 | PlayStation 2, Xbox | Capcom |- | Dead to Rights II | 2005 | PlayStation 2, Xbox | WideScreen Games, Namco Hometek |- | Evil Dead: Regeneration | 2005 | PlayStation 2, Xbox, Windows | Cranky Pants Games, THQ |- | Gauntlet: Seven Sorrows | 2005 | PlayStation 2, Xbox | Midway Home Entertainment Inc. |- | Grand Theft Auto III | 2001 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: Vice City | 2002 | PlayStation 2, PlayStation 3, PC, Xbox, Mac OS X, IOS, Android | Rockstar Games, Take-Two Interactive |- | Grand Theft Auto: San Andreas | 2004 | PlayStation 2, PlayStation 3, PC, Xbox, Xbox 360, Mac OS X, IOS, Android, Windows Phone, Amazon Kindle | Rockstar Games, Take-Two Interactive |- | Harry Potter and the Prisoner of Azkaban | 2004 | PlayStation 2, GameCube, Xbox | Electronic Arts |- | Harry Potter and the Goblet of Fire | 2005 | Nintendo DS, PlayStation 2, PSP, GameCube, Windows, Xbox | Electronic Arts |- | Headhunter Redemption | 2004 | PlayStation 2, Xbox | SEGA of America |- | Hello Kitty: Roller Rescue | 2005 | PlayStation 2, GameCube, Xbox, PC | XPEC Entertainment |- | Kill Switch | 2003 | PlayStation 2, PC, Xbox | Hip Interactive, Namco Hometek |- | Madagascar | 2005 | GameCube, PlayStation 2, PC, Xbox | Activision Publishing |- | Manhunt | 2003 | PC, PlayStation 2, Xbox | Rockstar North |- | Max Payne 2: The Fall of Max Payne | 2003 | PlayStation 2, Xbox | Rockstar Vienna |- | Major League Baseball 2K5 | 2004 | PlayStation 2, Xbox | 2K Sports |- | Mortal Kombat: Armageddon | 2006 | PlayStation 2, Xbox, Wii | Midway Home Entertainment Inc. |- | Mortal Kombat: Deadly Alliance | 2002 | Game Boy Advance, GameCube, PlayStation 2, Xbox | Midway |- | Mortal Kombat: Deception | 2004 | GameCube, PlayStation 2, Xbox | Midway Home Entertainment |- | NBA Ballers | 2004 | PlayStation 2, Xbox | Midway, Midway Games |- | NFL Blitz 2003 | 2002 | PlayStation 2, GameCube, Microsoft Xbox | Midway |- | Rugby League | 2003 | PlayStation 2, PC, Xbox | Tru Blu Entertainment |- | ObsCure | 2004 | PlayStation 2, Windows, Xbox | DreamCatcher Interactive, MC2 France, MC2-Microïds |- | Outlaw Golf 2 | 2004 | PlayStation 2, Xbox | Global Star Software |- | Puyo Pop: Fever | 2004 | PlayStation 2, GameCube, Xbox | SEGA |- | RoboCop | 2003 | PC, PlayStation 2, Xbox | Titus Software |- | Rolling | 2003 | PlayStation 2, Xbox | Rage Software |- | Alfa Romeo Racing Italiano | 2005 | PlayStation 2, Xbox, PC | Black Bean, Milestone |- | Secret Weapons Over Normandy | 2003 | PlayStation 2, Xbox, PC | Lucas Arts/Totally Games |- | Shadow the Hedgehog | 2005 | PlayStation 2, GameCube, Xbox | SEGA/Sonic Team USA |- | Sonic Heroes | 2003 | PlayStation 2, GameCube, Xbox, PC | SEGA/Sonic Team USA |- | SpongeBob SquarePants: Battle for Bikini Bottom | 2003 | GameCube, PlayStation 2, PC, Xbox | THQ, Heavy Iron Studios, Aspyr |- | [[Tech Deck Dude Bare Knuckle Grind]] | 2005 | Xbox, PC | Visionscape Interactive |- | Teenage Mutant Ninja Turtles: Mutant Melee | 2005 | GameCube, PlayStation 2, Xbox, PC | Konami |- | The Incredibles: Rise of the Underminer | 2005 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | THQ |- | The Incredibles | 2004 | Mac OS X, GameCube, PlayStation 2, Windows, Xbox | D3 Publisher, Noviy Disk, Snowball.ru, THQ |- | The SpongeBob SquarePants Movie Game | 2005 | GameCube, PlayStation 2, PC, Xbox | THQ, Aspyr, Heavy Iron Studios |- | The Warriors | 2005 | PlayStation 2, Xbox | Rockstar Toronto, Rockstar Games |- | Tony Hawk's Pro Skater 3 | 2001 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Tony Hawk's Pro Skater 4 | 2002 | GameCube, PlayStation 2, PC, Xbox | Neversoft, Activision |- | Total Overdose: A Gunslinger's Tale in Mexico | 2005 | PlayStation 2, Xbox, PC | SCI Games |- | Toxic Grind | 2002 | Xbox | THQ, Blue Shift Inc. |- | Without Warning | 2005 | PlayStation 2, Xbox | Capcom Entertainment |- | Yourself!Fitness | 2004 | PlayStation 2, Xbox, PC | responDESIGN |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers in Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers in Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121 | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic the Gathering: Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon: Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3 | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 6483d20f5d547fb4ea7d7d008c30c3bd6b311e29 5304 5301 2017-05-22T15:14:36Z JayFoxRox 2 /* Renderware */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title ! Year ! Developer ! Publisher ! Platform |- | [[Far Cry Instincts]] | 2005 | Ubisoft Montreal | Ubisoft | Xbox |- | [[Far Cry Instincts: Evolution]] | 2006 | Ubisoft Montreal | Ubisoft | Xbox |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers in Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers in Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121 | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic the Gathering: Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon: Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3 | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 3650b2586912fbf70e6d53688365a8f05fd46562 5305 5304 2017-05-22T15:15:20Z JayFoxRox 2 /* CryEngine 1 */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Far Cry Instincts]] |- | [[Far Cry Instincts: Evolution]] |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2002/02/17 | New Legends | Action-adventure | Xbox | Infinite Machine^{[http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/g0810/029g10/29g10.asp&guid=%20this <nowiki>[Ref]</nowiki>]} | THQ | UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers in Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers in Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121 | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic the Gathering: Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon: Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3 | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* f96c4fc3e0d05ec25a0f917d8bce6952a560a120 5306 5305 2017-05-22T15:16:25Z JayFoxRox 2 /* Unreal Engine 1 */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Far Cry Instincts]] |- | [[Far Cry Instincts: Evolution]] |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |[[New Legends]] |UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !width="18%"| Release date !width="9%"| Title !width="9%"| Genre !width="13%"| Platform !width="14%"| Developer !width="14%"| Publisher !width="20%"| Engine Version |- | 2005/05/31 - Xbox<br>2005/08/09 - PC | Advent Rising | Third person action-adventure | Microsoft Windows, Xbox | GlyphX Games | Majesco Entertainment | UE2 Build 2226 |- | 2005/11/17 | America's Army: Rise of a Soldier | First Person Shooter | Xbox | Secret Level | Ubisoft | UT2003 Build 928 |- | 2005/10/06 - PC<br>2005/10/06 - Xbox<br>2005/10/26 - PS2 | Brothers in Arms: Earned in Blood | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/01 - Xbox<br>2005/03/15 - PC<br>2005/03/15 - Xbox | Brothers in Arms: Road to Hill 30 | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2 | Gearbox Software | Ubisoft | UE2 Build 2226 |- | 2005/03/23 - PC<br>2005/03/23 - Xbox<br>2006/01/26 - Europe(PC) | Combat: Task Force 121 | First-person shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://www.xgpgaming.com/news/news.php?id=1216%20XGP%20Gaming:%20Combat:%20Task%20Force%20121%20Announced <nowiki>[Ref]</nowiki>]}^{[http://www.extremegamer.ca/xbox/games/combat121.php <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2004/03/03 - Xbox<br>2004/03/18 - PC | Dead Man's Hand | First Person Shooter | Microsoft Windows, Xbox | Human Head Studios | Atari | UE2 Build 2110 |- | 2003/12/02 | Deus Ex: Invisible War | Action role-playing game | Microsoft Windows, Xbox | Ion Storm Inc. | Eidos Interactive | Warfare Build 777 |- | 2005/10/20 - PC<br>2005/10/26 - Xbox | Land of the Dead: Road to Fiddler's Green | First Person Shooter | Microsoft Windows, Xbox | Brainbox Games | Groove Games | UE2 BUild 2226 |- | 2003/11/18 | Magic the Gathering: Battlegrounds | Fighting | Microsoft Windows, Xbox | Secret Level | Atari | Warfare Build 926 |- | 2004/10/19 - Xbox<br>2004/10/26 - PC | Men of Valor | First Person Shooter | Microsoft Windows, Xbox | 2015, Inc. | Vivendi Universal Games | Warfare Build 926 |- | 2006/09/19 - PC<br>2006/09/19 - Xbox<br>2006/09/19 - Xbox 360<br>2006/09/19 - PS2<br>2006/09/19 - PS3<br>2006/09/19 - PSP<br>2006/09/19 - GC<br>2006/11/30 - Wii | Open Season | Action-adventure | Microsoft Windows,<br>Xbox, PlayStation 2,<br>Xbox 360,<br>GameCube, Wii,<br> PlayStation Portable | Ubisoft Montreal(PC and Consoles),<br>Ubisoft Quebec(PSP) | Ubisoft | Warfare Build 927 |- | 2005/05/03 | Pariah | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20080223094646/http://www.pcauthority.com.au/review.aspx?CIaRID=2691%20Pariah%20-%20Games%20-%20Review%20-%20www.pcauthority.com.au <nowiki>[Ref]</nowiki>]}^{[http://pc.ign.com/objects/665/665243.html <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2004/06/15 - Xbox<br>2004/09/21 - PC | Shadow Ops: Red Mercury | First Person Shooter | Microsoft Windows, Xbox | Zombie Studios | Atari | UE2 Build 2110 |- | 2005/03/01 | Star Wars: Republic Commando | First Person Shooter | Microsoft Windows, Xbox | LucasArts^{[http://pc.ign.com/objects/566/566923.html%20IGN:%20Star%20Wars%20Republic%20Commando <nowiki>[Ref]</nowiki>]}^{[http://web.archive.org/web/20060530190850/http://www.gameaxis.com/articles/view.gax?id=530&gid=884 <nowiki>[Ref]</nowiki>]} | LucasArts | UE2 Build 2226 |- | 2004/05/25 | Thief: Deadly Shadows | Stealth | Microsoft Windows, Xbox | Ion Storm | Eidos Interactive | Warfare Build 777 |- | 2006/03/09 - Xbox<br>2006/03/28 - PS2 | Tom Clancy's Ghost Recon: Advanced Warfighter | First Person Shooter | Xbox, PlayStation 2 | Ubisoft Shanghai / Ubisoft Paris | Ubisoft | Warfare Build 927 |- | 2003/10/28 - Xbox<br>2004/03/23 - PS2<br>2004/06/15 - GC | Tom Clancy's Rainbow Six 3 | First Person Shooter | Xbox, PlayStation 2,<br>GameCube | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2004/08/04 | Tom Clancy's Rainbow Six 3: Black Arrow | First Person Shooter | Xbox | Ubisoft Montreal | Ubisoft | Warfare Build 927 |- | 2002/11/17 - Xbox<br>2003/02/19 - PC<br>2003/04/08 - PS2<br>2003/04/10 - GC | Tom Clancy's Splinter Cell | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube, OS X | Ubisoft Montreal | Ubisoft | Warfare Build 829 |- | 2005/03/28 - PC<br>2005/03/28 - Xbox<br>2005/03/28 - PS2<br>2005/03/31 - GC<br>2008/04/21 - Xbox 360 | Tom Clancy's Splinter Cell: Chaos Theory | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube,<br>Xbox 360 | Ubisoft Montreal - Singleplayer &amp; Co-op mode<br>Ubisoft Annency - Versus mode | Ubisoft | Warfare Build 829 - Singleplayer &amp; Co-op mode<br>UE2 Build 2110 - Versus mode |- | 2006/10/17 - Xbox 360<br>2006/10/24 - Xbox<br>2006/10/24 - PS2<br>2006/10/26 - GC<br>2006/11/07 - PC<br>2007/11/28 - Wii<br>2007/03/30 - PS3 | Tom Clancy's Splinter Cell: Double Agent | Stealth | Microsoft Windows,<br> Xbox, PlayStation 2,<br>Xbox 360, PlayStation 3,<br>GameCube, Wii | Ubisoft Montreal - Offline mode for Xbox, PlayStation 2, GameCube, and Wii versions<br>Ubisoft Shanghai - Offline mode for Xbox 360, PlayStation 3, and PC versions<br>Ubisoft Annency - Online mode for PC, Xbox, Xbox 360, PlayStation 2, and PlayStation 3 version<br>online excluded that GC and Wii versions | Ubisoft | Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- | 2004/03/23 - PC<br>2004/03/23 - Xbox<br>2004/06/16 - PS2<br>2004/06/20 - GC | Tom Clancy's Splinter Cell: Pandora Tomorrow | Stealth | Microsoft Windows, Xbox,<br>PlayStation 2, GameCube | Ubisoft Shanghai - Singleplayer mode<br>Ubisoft Annency - Multiplayer mode | Ubisoft | Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- | 2003/02/03 - PC<br>2004/02/10 - Xbox | Unreal II: The Awakening | First Person Shooter | Microsoft Windows, Xbox | Legend Entertainment | Atari | Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- | 2002/11/12 | Unreal Championship | First Person Shooter | Xbox | Digital Extremes | Atari | UT2003 Build 928 |- | 2005/04/18 | Unreal Championship 2: The Liandri Conflict | First Person Shooter / Third Person Shooter | Xbox | Epic Games | Midway Games | UE2 build 2227 with some UE2.5 code<br>(UE2X) |- | 2006/06/18 - PC<br>2006/06/24 - Xbox | Warpath | First Person Shooter | Microsoft Windows, Xbox | Digital Extremes^{[http://web.archive.org/web/20070323035959/http://www.groovegames.com/Games/Warpath/index.php%3E <nowiki>[Ref]</nowiki>]} | Groove Games | UT2003 Build 928 with some UE2.5 code |- | 2006/01/24 - Xbox<br>2006/04/03 - PC<br>2007/03/27 - Europe(PC) | World War II Combat: Road to Berlin | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games | Groove Games | UE2 Build 2110 |- | 2006/06/21 - Xbox<br>2006/06/25 - PC<br>2007/06/25 - Europe(PC) | World War II Combat: Iwo Jima | First Person Shooter | Microsoft Windows, Xbox | Direct Action Games^{[http://web.archive.org/web/20110718173237/http://bonusweb.idnes.cz/download/screenshoty/ww2combat_ijscr.html <nowiki>[Ref]</nowiki>]} | Groove Games | UE2 Build 2110 |- | 2003/11/18 - PC<br>2003/11/18 - PS2<br>2003/11/24 - Xbox | XIII | First Person Shooter | Microsoft Windows,<br>Xbox, PlayStation 2,<br>GameCube, OS X | Ubisoft Paris | Ubisoft | Warfare Build 829 |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 3ac9218cb76f125e04ce37155c6884c5e329287e 5308 5306 2017-05-22T15:21:20Z JayFoxRox 2 /* Unreal Engine 2 */ wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Far Cry Instincts]] |- | [[Far Cry Instincts: Evolution]] |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |[[New Legends]] |UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |- |[[Advent Rising]] |UE2 Build 2226 |- |[[America's Army: Rise of a Soldier]] |UT2003 Build 928 |- |[[Brothers in Arms: Earned in Blood]] |UE2 Build 2226 |- |[[Brothers in Arms: Road to Hill 30]] |UE2 Build 2226 |- |[[Combat: Task Force 121]] |UE2 Build 2110 |- |[[Dead Man's Hand]] |UE2 Build 2110 |- |[[Deus Ex: Invisible War]] |Warfare Build 777 |- |[[Land of the Dead: Road to Fiddler's Green]] |UE2 BUild 2226 |- |[[Magic the Gathering: Battlegrounds]] |Warfare Build 926 |- |[[Men of Valor]] |Warfare Build 926 |- |[[Open Season]] |Warfare Build 927 |- |[[Pariah]] |UT2003 Build 928 with some UE2.5 code |- |[[Shadow Ops: Red Mercury]] |UE2 Build 2110 |- |[[Star Wars: Republic Commando]] |UE2 Build 2226 |- |[[Thief: Deadly Shadows]] |Warfare Build 777 |- |[[Tom Clancy's Ghost Recon: Advanced Warfighter]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3: Black Arrow]] |Warfare Build 927 |- |[[Tom Clancy's Splinter Cell]] |Warfare Build 829 |- |[[Tom Clancy's Splinter Cell: Chaos Theory]] |Warfare Build 829 - Singleplayer & Co-op mode UE2 Build 2110 - Versus mode |- |[[Tom Clancy's Splinter Cell: Double Agent]] |Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- |[[Tom Clancy's Splinter Cell: Pandora Tomorrow]] |Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- |[[Unreal II: The Awakening]] |Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- |[[Unreal Championship]] |UT2003 Build 928 |- |[[Unreal Championship 2: The Liandri Conflict]] |UE2 build 2227 with some UE2.5 code<br>(UE2X) |- |[[Warpath]] |UT2003 Build 928 with some UE2.5 code |- |[[World War II Combat: Road to Berlin]] |UE2 Build 2110 |- |[[World War II Combat: Iwo Jima]] |UE2 Build 2110 |- |[[XIII]] |Warfare Build 829 |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License* 003cccc6e74a444411ed445ef6cc0aebdeb575bd 0 3689 5307 5264 2017-05-22T15:18:42Z Furon 2477 /* Commands */ Start work on command table wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== {| class="wikitable" style="margin: 0 auto; text-align: center;" |+ Command availability by XBDM version |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | altaddr | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | bye | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | continue | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | debugger | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | deftitle | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | delete | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | dirlist | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | except | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | exceptif | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | flash | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | fmtfat | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | funccall | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | getcontext | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | getextcontext | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | getfile | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | getmem | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | go | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | gpucount | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | halt | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | irtsweep | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | isbreak | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | isstopped | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | kd | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | magicboot | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | mkdir | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | modlong | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | modsections | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | modules | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | nostopon | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | notify | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | notifyat | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | pssnap | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | querypc | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | reboot | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | rename | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | resume | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | screenshot | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | sendfile | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | setcontext | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | setsystime | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | stopon | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | suspend | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | systime | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | threadinfo | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | threads | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background-color: #CEF2E0" | ✓ | colspan=20 | |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 25fcd898a3a5e8f8142c4cc8379c4d8658ce869a 5311 5307 2017-05-22T16:05:05Z Furon 2477 /* Commands */ Fix 3944 and add 4039 wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== {| class="wikitable" style="margin: 0 auto; text-align: center;" |+ Command availability by XBDM version |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | altaddr | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | authuser | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | break | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | bye | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | continue | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | dbgname | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | debugger | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | debugmode | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | deftitle | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | delete | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | dirlist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | drivelist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | flash | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | fmtfat | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | funccall | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getextcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getfile | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getmem | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getuserpriv | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | go | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | gpucount | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | halt | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | irtsweep | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | isbreak | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | isstopped | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | kd | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | keyxchg | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | lockmode | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | magicboot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | mkdir | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | modlong | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | modsections | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | modules | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | nostopon | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | notify | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | notifyat | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | pclist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | pssnap | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | querypc | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | reboot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | rename | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | resume | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | screenshot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | sendfile | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setconfig | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setsystime | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setuserpriv | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | stop | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | stopon | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | suspend | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | systime | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | threadinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | threads | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | title | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | user | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | userlist | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | vssnap | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 68b329f015e4bace367c883f4f93360aae83afe2 5312 5311 2017-05-22T16:08:26Z Furon 2477 /* Remote Debugging and Control Protocol */ Mention that 3944 sends 200 instead of 201 on connect wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== {| class="wikitable" style="margin: 0 auto; text-align: center;" |+ Command availability by XBDM version |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | altaddr | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | authuser | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | break | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | bye | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | continue | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | dbgname | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | debugger | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | debugmode | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | deftitle | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | delete | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | dirlist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | drivelist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | flash | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | fmtfat | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | funccall | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getextcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getfile | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getmem | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | getuserpriv | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | go | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | gpucount | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | halt | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | irtsweep | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | isbreak | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | isstopped | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | kd | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | keyxchg | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | lockmode | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | magicboot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | mkdir | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | modlong | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | modsections | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | modules | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | nostopon | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | notify | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | notifyat | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | pclist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | pssnap | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | querypc | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | reboot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | rename | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | resume | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | screenshot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | sendfile | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setconfig | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setsystime | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | setuserpriv | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | stop | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | stopon | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | suspend | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | systime | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | threadinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | threads | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | title | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | user | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | userlist | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | vssnap | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=19 | |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 0e84605cebd1da251e072a162fe610812dd20468 5313 5312 2017-05-22T16:38:19Z Furon 2477 /* Commands */ Add 4134, 4242, and 4361 wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== {| class="wikitable" style="margin: 0 auto; text-align: center;" |+ Command availability by XBDM version |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | altaddr | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | authuser | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | boxid | style="background-color: #F2CECE" | ✗ | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | break | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | bye | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | continue | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | dbgname | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | debugger | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | debugmode | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | dedicate | style="background-color: #F2CECE" | ✗ | style="background-color: #F2CECE" | ✗ | style="background-color: #F2CECE" | ✗ | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | deftitle | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | delete | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | dirlist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | drivelist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | dvdblk | style="background-color: #F2CECE" | ✗ | style="background-color: #F2CECE" | ✗ | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | flash | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | fmtfat | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | funccall | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | getcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | getextcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | getfile | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | getmem | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | getuserpriv | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | go | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | gpucount | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | halt | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | irtsweep | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | isbreak | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | isstopped | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | kd | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | keyxchg | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | lockmode | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | magicboot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | mkdir | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | mmglobal | style="background-color: #F2CECE" | ✗ | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | modlong | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | modsections | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | modules | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | nostopon | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | notify | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | notifyat | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | pclist | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | pssnap | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | querypc | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | reboot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | rename | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | resume | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | screenshot | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | sendfile | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | setconfig | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | setcontext | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | setsystime | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | setuserpriv | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | stop | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | stopon | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | suspend | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | systime | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | threadinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | threads | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | title | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | user | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | userlist | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | vssnap | style="background-color: #F2CECE" | ✗ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | style="background-color: #CEF2E0" | ✓ | colspan=16 | |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 3b1d424b5167d1ab19ee28945f6e055fadce6c50 5320 5313 2017-05-22T20:03:47Z Furon 2477 /* Commands */ Move command table to a separate page wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' TODO ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 10e9e1e8d62fe04e0fd073978bed6415b814a8ef 5327 5320 2017-05-22T21:08:06Z Furon 2477 Add command section stubs wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 71a14a4a5dba9f948600f8807a64a45816f7673f 0 3720 5309 2017-05-22T15:26:59Z JayFoxRox 2 Created page with "{{Game}} * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek]" wikitext text/x-wiki {{Game}} * [https://sites.google.com/site/richgel99/home Deferred Rendering in Shrek] 8f20be5909eb5c46b8c743cfb6ea571cee0d7089 0 3 5310 5228 2017-05-22T15:27:39Z JayFoxRox 2 Link moved to Shrek page wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php Designing the Boot Sound for the Original Xbox (Brian Schmidt)] * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past] 02176496e0d69c8da2a5a41f98f0aefc53db6af1 0 3721 5319 2017-05-22T20:02:57Z Furon 2477 Created page with "{| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 !..." wikitext text/x-wiki {| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | altaddr | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | authuser | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | boxid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | break | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | bye | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ |- | style="font-family: monospace; text-align: left" | capctrl | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | continue | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | crashdump | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | d3dopcode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgname | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgoptions | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugger | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugmode | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dedicate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | deftitle | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | delete | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dirlist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dmversion | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivelist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdblk | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdperf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | fileeof | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | flash | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | fmtfat | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | funccall | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getd3dstate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getextcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getgamma | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem2 | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpalette | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsum | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsurf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getuserpriv | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getutildrvinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | go | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | gpucount | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | halt | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | irtsweep | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isbreak | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isdebugger | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | isstopped | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | kd | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | keyxchg | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lockmode | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lop | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | magicboot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | memtrack | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mkdir | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mmglobal | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modlong | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modsections | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modules | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | nostopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notify | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notifyat | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pbsnap | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pclist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pdbinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pssnap | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | querypc | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | reboot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | rename | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | resume | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | screenshot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | sendfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | servname | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setconfig | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setsystime | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setuserpriv | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | signcontent | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stop | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | suspend | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | sysfileupd | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | systime | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threadinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threads | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | title | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | user | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | userlist | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | vssnap | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | walkmem | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | writefile | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} 4cb293cf453b32fc67431da4e824fb97e238d2ae 5321 5319 2017-05-22T20:23:39Z Furon 2477 Add description wikitext text/x-wiki The following table shows the commands available in each version of the [[Xbox Debug Monitor]]. {| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | altaddr | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | authuser | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | boxid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | break | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | bye | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ |- | style="font-family: monospace; text-align: left" | capctrl | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | continue | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | crashdump | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | d3dopcode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgname | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgoptions | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugger | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugmode | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dedicate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | deftitle | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | delete | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dirlist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dmversion | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivelist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdblk | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdperf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | fileeof | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | flash | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | fmtfat | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | funccall | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getd3dstate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getextcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getgamma | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem2 | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpalette | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsum | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsurf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getuserpriv | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getutildrvinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | go | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | gpucount | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | halt | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | irtsweep | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isbreak | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isdebugger | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | isstopped | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | kd | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | keyxchg | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lockmode | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lop | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | magicboot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | memtrack | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mkdir | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mmglobal | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modlong | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modsections | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modules | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | nostopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notify | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notifyat | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pbsnap | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pclist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pdbinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pssnap | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | querypc | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | reboot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | rename | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | resume | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | screenshot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | sendfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | servname | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setconfig | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setsystime | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setuserpriv | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | signcontent | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stop | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | suspend | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | sysfileupd | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | systime | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threadinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threads | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | title | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | user | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | userlist | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | vssnap | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | walkmem | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | writefile | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} f07953db8c173e444e3d473f354ced10e6cf9298 1 3722 5322 2017-05-22T20:24:40Z Codeasm 2480 Created page with "The comcast url is broken maybe another source? Im not deleting it, because maybe you have another archive or link --~~~~" wikitext text/x-wiki The comcast url is broken maybe another source? Im not deleting it, because maybe you have another archive or link --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 13:24, 22 May 2017 (PDT) 64f1afe2088b1c633228e3b8b7f8be970d2ee726 5325 5322 2017-05-22T20:35:31Z JayFoxRox 2 wikitext text/x-wiki == Broken comcast URL == The comcast url is broken maybe another source? Im not deleting it, because maybe you have another archive or link --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 13:24, 22 May 2017 (PDT) It looks like comcast retroactively created a robots.txt which prevents this page from being shown. I've contacted archive.org about this on april 16th, but I didn't get a response yet. If I don't get a response soon I'll contact comcast about this too. I'm super pissed about the situation. That link worked when I added it a couple of months ago. I trusted archive to be an archive. - Looks like we'll need an archive archive: '''Please archive anything which is stored on archive (saving it locally or moving information to this wiki asap). New domain owners can retroactively delete stuff..''' --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 13:35, 22 May 2017 (PDT) f8214228ffca78ff397864ea4b06d456b0826af1 6 3723 5323 2017-05-22T20:25:59Z Codeasm 2480 Xbox dvd drive types. edited by CodeAsm for use on xboxdevwiki. wikitext text/x-wiki Xbox dvd drive types. edited by CodeAsm for use on xboxdevwiki. 1870e788c99af4c1102648c51d4d5c38f9fc776f 0 3704 5324 5227 2017-05-22T20:33:24Z Codeasm 2480 Added some more text and image I made with a nice comparison of the diferent drives. please edit text, my english is not grammar correct wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. There are four retail drives known to be used by Microsoft in the retail version of the console. any xbox dvd drive can be used in any retail xbox. Development kits can use and read debug signed code from these drives. Other drives that might work are firmware modded PC drives like Kreon drives. List of Xbox DVD Drive manufacturers * Thomson * Philips * Samsung * Hitachi-LG (mainly 1.6?) [[File:http://xboxdevwiki.net/images/b/b1/Xbox_drivedetermination.png]] == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] dc44a8b72a695869b37b059d127b5e20cfdfd919 5326 5324 2017-05-22T20:48:16Z Codeasm 2480 image trouble :P wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. There are four retail drives known to be used by Microsoft in the retail version of the console. any xbox dvd drive can be used in any retail xbox. Development kits can use and read debug signed code from these drives. Other drives that might work are firmware modded PC drives like Kreon drives. List of Xbox DVD Drive manufacturers * Thomson * Philips * Samsung * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] 4397a51ca6981bcbc477724e79bc446fea1087b6 0 3689 5328 5327 2017-05-22T23:02:16Z Furon 2477 Add getfile info wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {| class="wikitable" ! 3944-4432 | width="99%" | <span style="font: 14px monospace">getfile name=</span> |- ! 4532+ | <span style="font: 14px monospace">getfile name= [offset= size=]</span> |} ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 6ba071ee90d6d828b97b25839a0ab1dcbf2a2449 5329 5328 2017-05-22T23:10:35Z Furon 2477 /* getfile (Download file) */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {| class="wikitable" ! 3944-4432 | width="99%" | <span style="font: 14px monospace">getfile name=</span> |- ! 4531+ | <span style="font: 14px monospace">getfile name= [offset= size=]</span> |} ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. edc295efabd4f0f28ad0050bd5c927e804b22313 0 3700 5330 5256 2017-05-23T10:05:39Z JayFoxRox 2 /* Dumping */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |Kreon 0.80 (September 9th 2006) |Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 601940e8310c1a87ca4b34a9bea1e5224d5cc417 5331 5330 2017-05-23T10:06:20Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |Kreon 0.80 (September 9th 2006) <br> Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] cc663856f99fa3cb635f7ec25cca6063e71e8bac 5332 5331 2017-05-23T10:07:56Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |Kreon 0.60 July 30th 2006) <br> Kreon 0.80 (September 9th 2006) <br> Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 568533e677e3fcfe058e669c347972050c15f209 5333 5332 2017-05-23T10:08:07Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |Kreon 0.60 (July 30th 2006) <br> Kreon 0.80 (September 9th 2006) <br> Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 9ed61ed708f146e1fec9a8e961c0784715b1b03d 5334 5333 2017-05-23T10:08:37Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |Kreon 0.60 (July 30th 2006) <br> Kreon 0.80 (September 9th 2006) <br> Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] a467eab338e3e1af01ef2348774c7f809af2afa9 5335 5334 2017-05-23T10:13:03Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/][https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 9e4bbdae03ce41d7bd0a4871cfda385c39d737c1 5336 5335 2017-05-23T10:17:05Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumping == To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 186ee9dfc3986932051cf10d9b6252d957a3bed8 5351 5336 2017-05-23T19:57:40Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== SS.bin ==== 2048 Bytes Challenge entry: {| class="wikitable" ! Offset !! Field !! Notes |- |0 || Level || |- |1 || Challenge id || |- |2 || Challenge value || |- |6 || Response modifier || |- |7 || Response value || |} Security sector range {| class="wikitable" ! Offset !! Field !! Notes |- |3 || Start PSN || |- |6 || End PSN || |} Overall format: {| class="wikitable" ! Offset !! Field !! Notes |- |0 || Bookversion and Booktype || |- |768 || Version of challenge table || |- |769 || Number of challenge entries || |- |770 || Challenge entries || |- |1633 || 16 security sector ranges || |- |1840 || 16 security sector ranges || Copy from Offset 1633 |- |} Note that this information is still incomplete! ==== DMI.bin ==== 2048 Bytes ==== PFI.bin ==== 2048 Bytes === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] f0c92bd8627476f9741b4b67d933143a75a45b1d 5352 5351 2017-05-23T19:58:21Z JayFoxRox 2 /* SS.bin */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== SS.bin ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Field !! Notes |- |0 || Level || |- |1 || Challenge id || |- |2 || Challenge value || |- |6 || Response modifier || |- |7 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Field !! Notes |- |3 || Start PSN || |- |6 || End PSN || |} Overall format (2048 Bytes): {| class="wikitable" ! Offset !! Field !! Notes |- |0 || Bookversion and Booktype || |- |768 || Version of challenge table || |- |769 || Number of challenge entries || |- |770 || Challenge entries || |- |1633 || 16 security sector ranges || |- |1840 || 16 security sector ranges || Copy from Offset 1633 |- |} Note that this information is still incomplete! ==== DMI.bin ==== 2048 Bytes ==== PFI.bin ==== 2048 Bytes === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 1b5e6e0823a67f922ea065417c03c96035061de1 5354 5352 2017-05-23T20:22:56Z JayFoxRox 2 /* SS.bin */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== SS.bin ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Field !! Notes |- |0 || Level || |- |1 || Challenge id || |- |2 || Challenge value || |- |6 || Response modifier || |- |7 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Field !! Notes |- |3 || Start PSN || |- |6 || End PSN || |} Overall format (2048 Bytes): {| class="wikitable" ! Offset !! Field !! Notes |- |0 || Bookversion and Booktype || |- |768 || Version of challenge table || |- |769 || Number of challenge entries || |- |770 || Challenge entries || |- |1633 || 23 security sector ranges || Only 16 of which are used. |- |1840 || 23 security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |- |} Note that this information is still incomplete! ==== DMI.bin ==== 2048 Bytes ==== PFI.bin ==== 2048 Bytes === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] f567d54d6be8ce6aea94a9339a798794ca4adf53 5356 5354 2017-05-24T05:41:42Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== SS.bin ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Level || |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Overall format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u4, u4|| Bookversion and Booktype || |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || |- |769 || u8 || Number of challenge entries || |- |770 || Challenge entry[] || Challenge entries || |- |1633 || Security sector range[23] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[23] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |- |} Note that this information is still incomplete! ==== DMI.bin ==== 2048 Bytes ==== PFI.bin ==== 2048 Bytes === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] db582461744b6dd9b7e6effb29e9590dfcf7881c 5357 5356 2017-05-24T05:51:33Z JayFoxRox 2 /* SS.bin */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== SS.bin ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Level || |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Overall format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u4, u4|| Bookversion and Booktype || |- |4 || u32 || Some PSN? || |- |8 || u32 || Some PSN? || |- |12 || u32 || Some PSN? || |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || |- |769 || u8 || Number of challenge entries || |- |770 || Challenge entry[] || Challenge entries || |- |1633 || Security sector range[23] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[23] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |- |} Note that this information is still incomplete! ==== DMI.bin ==== 2048 Bytes ==== PFI.bin ==== 2048 Bytes === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 3eee23115e500a120bbe48b7180230966b47c7a4 5358 5357 2017-05-24T06:02:40Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Level || |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Overall format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || |- |769 || u8 || Number of challenge entries || |- |770 || Challenge entry[] || Challenge entries || |- |1633 || Security sector range[23] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[23] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |- |} Note that this information is still incomplete! === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] cd4b961673d5c2eb7c0fb528b15b3aca53d1846e 5360 5358 2017-05-24T12:31:58Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Level || |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || |- |769 || u8 || Number of challenge entries || |- |770 || Challenge entry[] || Challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || u64 || || Another timestamp? (similar to 1055) |- |1191 || u32 || || Unknown |- |1210 || Unknown1 || || Unknown |- |1530 || Unknown1 || || Unknown |- |1633 || Security sector range[23] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[23] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |- |} Note that this information is still incomplete! === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 7ec57f9e7c867c1093a1b80c729f497fe896b835 5361 5360 2017-05-24T12:34:07Z JayFoxRox 2 /* Security Sectors (SS.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Level || |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || |- |769 || u8 || Number of challenge entries || |- |770 || Challenge entry[] || Challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown |- |1503 || Unknown1 || || Unknown |- |1633 || Security sector range[23] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[23] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |- |} Note that this information is still incomplete! === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 04d03ea20ceb38be8fa4cf2dc4716ba669f5e177 5363 5361 2017-05-24T12:49:59Z JayFoxRox 2 /* Security Sectors (SS.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Level || |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || |- |769 || u8 || Number of challenge entries || |- |770 || Challenge entry[] || Challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || |- |1633 || Security sector range[23] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[23] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] e871a8921eae5c3160d7b3835b1a0b0a9ed7e0b0 5364 5363 2017-05-24T13:01:34Z JayFoxRox 2 /* Security Sectors (SS.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 8022f8db45e85c367f52197020e0671aa909065a 5371 5364 2017-05-24T15:02:12Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Different blank background without text / logos (opposite of the "XBOX" text without logo) == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 4e79108da8d931b7f74b3f3a64a9cf6b13bcba8e 5372 5371 2017-05-24T15:02:59Z JayFoxRox 2 /* Visible information on ring */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Different blank background without text / logos (opposite of the "XBOX" text without logo) == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 3c455fdab28852fc3907189a42ee294ed0c57a43 5374 5372 2017-05-24T15:03:49Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Different blank background without text / logos (opposite of the "XBOX" text without logo) == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 770cbff75963530878fb1f1b53b328504cb42de0 0 1 5337 5294 2017-05-23T10:44:54Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] ** [[DVD Drive]] ** [[Hard Drive]] ** [[USB]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[Xbox Debug Monitor]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] [[:Category:Games|Games]] * [[Engine List]] Emulation * [[Emulators]] {{:Main Page/Xbox Live}} Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] b7958f94fbf46ef9c3212321a7a4f75748706bc5 0 3724 5338 2017-05-23T10:53:00Z JayFoxRox 2 Created page with "The game source code has been released under the GPLv2: https://github.com/grayj/Jedi-Academy" wikitext text/x-wiki The game source code has been released under the GPLv2: https://github.com/grayj/Jedi-Academy 7619be4d6c1637f930fc912026feebd3b62e3cd2 5342 5338 2017-05-23T10:56:20Z JayFoxRox 2 wikitext text/x-wiki {{Game}} The game source code has been released under the GPLv2: https://github.com/grayj/Jedi-Academy 1bed87c7c47da5765b3e00df7db8601465461683 0 3725 5339 2017-05-23T10:53:46Z JayFoxRox 2 Created page with "The game source code has been released under the GPLv2: https://github.com/grayj/Jedi-Outcast" wikitext text/x-wiki The game source code has been released under the GPLv2: https://github.com/grayj/Jedi-Outcast 910156658b22c4ef795924475ffce0650753e09d 5341 5339 2017-05-23T10:56:02Z JayFoxRox 2 wikitext text/x-wiki {{Game}} The game source code has been released under the GPLv2: https://github.com/grayj/Jedi-Outcast 391180f0d877b89a2d61d7a27a0b92e79e609976 0 3726 5340 2017-05-23T10:55:42Z JayFoxRox 2 Created page with "{{Game}} Re-Volt is an unreleased Xbox game. It was included on the XBL beta disc{{citation needed}}. The source code was accidentally and leaked on purpose a couple of times..." wikitext text/x-wiki {{Game}} Re-Volt is an unreleased Xbox game. It was included on the XBL beta disc{{citation needed}}. The source code was accidentally and leaked on purpose a couple of times. Due to copyright issues we can not link or share the code here. 29efb327d2384c24787f27a1f31931508bcb5597 5383 5340 2017-05-24T15:28:53Z JayFoxRox 2 wikitext text/x-wiki {{Game}} Re-Volt is an unreleased Xbox game. It was included on the XBL beta disc{{citation needed}}. The source code was leaked accidentally and on purpose a couple of times. Due to copyright issues we can not link or share the code here. 585e2c09dc7b53e710b47a3a4e5678b6a31cfc44 0 3727 5343 2017-05-23T10:58:45Z JayFoxRox 2 Created page with "The source code was publicly posted to GitHub without comments or license information on February 13th, 2016. Due to possible copyright issues we can not link or share the cod..." wikitext text/x-wiki The source code was publicly posted to GitHub without comments or license information on February 13th, 2016. Due to possible copyright issues we can not link or share the code here. 1e19a933c321b5ade6875ba8cea15d576a125f4a 5344 5343 2017-05-23T10:58:57Z JayFoxRox 2 wikitext text/x-wiki {{Game}} The source code was publicly posted to GitHub without comments or license information on February 13th, 2016. Due to possible copyright issues we can not link or share the code here. 1fbfe50e48bfa23cc7e4de1b6f7fb6647e04a2ec 0 3728 5346 2017-05-23T13:22:26Z JayFoxRox 2 Created page with "{{Game}} Kameo Elements of Power is an unreleased Xbox game[https://www.unseen64.net/2008/04/16/kameo-xbox-cancelled/]. It eventually came out on Xbox 360. An Xbox version of..." wikitext text/x-wiki {{Game}} Kameo Elements of Power is an unreleased Xbox game[https://www.unseen64.net/2008/04/16/kameo-xbox-cancelled/]. It eventually came out on Xbox 360. An Xbox version of the game was leaked. 1bd3572da58a82aaf10da5ffc64d3bc8cabdaf23 2 3729 5359 2017-05-24T09:33:51Z Codeasm 2480 added some usb notes wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. 82b12805f700423105026e73390df16c73e39ef4 0 3704 5362 5326 2017-05-24T12:41:16Z JayFoxRox 2 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. There are four retail drives known to be used by Microsoft in the retail version of the console. any xbox dvd drive can be used in any retail xbox. Development kits can use and read debug signed code from these drives. Other drives that might work are firmware modded PC drives like Kreon drives. List of Xbox DVD Drive manufacturers * Thomson * Philips * Samsung * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ 0da4eafdecc232c9ad430f5b72c912b96f796664 0 3706 5365 5288 2017-05-24T13:22:27Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | MS || Microsoft |- | EA || EA |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. It is expressed in 3 decimal digits here which suggests that the title ID integer will always be below 1000. '''Examples''': FIFA 2003: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: Halo (1.02): * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] Halo (1.04): * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] caffda537c4ba6165eb2d0fb8f6d4bb492dea292 5366 5365 2017-05-24T13:24:25Z JayFoxRox 2 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | MS || Microsoft |- | EA || EA |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': FIFA 2003: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: Halo (1.02): * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] Halo (1.04): * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 0b003e521e11411d1ea2e004a94f834a13e533f6 5367 5366 2017-05-24T13:56:27Z JayFoxRox 2 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || |- | CC || |- | CK || |- | CM || |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || |- | EM || |- | ES || |- | FI || |- | FS || |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || |- | KO || |- | KU || |- | LA || |- | LS || |- | MD || |- | ME || |- | MI || |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': FIFA 2003: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: Halo (1.02): * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] Halo (1.04): * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 551d4c870db0dca9d58d16001714823249ab32d0 5368 5367 2017-05-24T13:59:38Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || |- | CC || |- | CK || |- | CM || |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || |- | EM || |- | ES || |- | FI || |- | FS || |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || |- | KO || |- | KU || |- | LA || |- | LS || |- | MD || |- | ME || |- | MI || |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': FIFA 2003: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: Halo (1.02): * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] Halo (1.04): * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 8ab17219acf73639b643ba0abd47e4b9a387a6cb 5369 5368 2017-05-24T14:39:14Z Codeasm 2480 /* Title ID */ Zushi Games, formerly Zoo Digital Publishing wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || |- | CC || |- | CK || |- | CM || |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || |- | EM || |- | ES || |- | FI || |- | FS || |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || |- | KO || |- | KU || |- | LA || |- | LS || |- | MD || |- | ME || |- | MI || |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': FIFA 2003: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number Zushi Games, formerly Zoo Digital Publishing023, version 02, region Europe) * Title ID: Halo (1.02): * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] Halo (1.04): * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 4e186f6db2304f78a0873abe9d5acc9e63ed11fb 5370 5369 2017-05-24T14:55:00Z Codeasm 2480 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || |- | CC || |- | CK || |- | CM || |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || Enlight Software |- | EM || |- | ES || Eidos Interactive |- | FI || |- | FS || From Software |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || |- | KO || |- | KU || |- | LA || Lukas Arts |- | LS || |- | MD || |- | ME || |- | MI || |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || Sega |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': FIFA 2003: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number Zushi Games, formerly Zoo Digital Publishing023, version 02, region Europe) * Title ID: Halo (1.02): * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] Halo (1.04): * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] f8a7608fb20b384d92fcd37417b90de6f63c651a 5376 5370 2017-05-24T15:05:28Z JayFoxRox 2 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || |- | CC || |- | CK || |- | CM || |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || Enlight Software |- | EM || |- | ES || Eidos Interactive |- | FI || |- | FS || From Software |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || |- | KO || |- | KU || |- | LA || Lukas Arts |- | LS || |- | MD || |- | ME || |- | MI || |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || Sega |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 7e3a1d2b00d1c85610c4bb7a5e7a4b3f55218165 5384 5376 2017-05-24T15:36:31Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || |- | CC || |- | CK || |- | CM || |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || Enlight Software |- | EM || |- | ES || Eidos Interactive |- | FI || |- | FS || From Software |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || |- | KO || |- | KU || |- | LA || Lucas Arts |- | LS || |- | MD || |- | ME || |- | MI || |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || SEGA |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 374f91040d0f539c241e3434eb120f2a55215242 0 3730 5373 2017-05-24T15:03:29Z JayFoxRox 2 Created page with "{{Game}}" wikitext text/x-wiki {{Game}} 77b07bee7f858b1884e6e97e303dfe5414c00281 0 3731 5375 2017-05-24T15:05:07Z JayFoxRox 2 Created page with "{{Game}}" wikitext text/x-wiki {{Game}} 77b07bee7f858b1884e6e97e303dfe5414c00281 0 3732 5377 2017-05-24T15:12:41Z JayFoxRox 2 Created page with "{{Game}} See https://github.com/aap/skygfx_vc for a re-implementation of the Xbox graphics features for PC." wikitext text/x-wiki {{Game}} See https://github.com/aap/skygfx_vc for a re-implementation of the Xbox graphics features for PC. 13f16ed7be31c7305d2f6379be4828a3e9c4c710 5381 5377 2017-05-24T15:27:55Z JayFoxRox 2 wikitext text/x-wiki {{Game}} See https://github.com/aap/skygfx_vc for a re-implementation of the Xbox graphics features for PC. The source code was illegally offered for sale in the past. 3e7c0df30c3e6b16b611cb4bcecddaf97edaffc0 0 3733 5378 2017-05-24T15:14:18Z JayFoxRox 2 Created page with "{{Game}} See https://github.com/aap/skygfx_vc for a re-implementation of the Xbox graphics features for PC. This game was originally planned to be an add-on for Grand Theft..." wikitext text/x-wiki {{Game}} See https://github.com/aap/skygfx_vc for a re-implementation of the Xbox graphics features for PC. This game was originally planned to be an add-on for [[Grand Theft Auto III]]. The games still share the same engine. Information on the [[Grand Theft Auto III]] article might also be relevant to this game. f0b42bfb4ed064013bdb0a176c635b5df0675288 5382 5378 2017-05-24T15:28:10Z JayFoxRox 2 wikitext text/x-wiki {{Game}} See https://github.com/aap/skygfx_vc for a re-implementation of the Xbox graphics features for PC. The source code was illegally offered for sale in the past. This game was originally planned to be an add-on for [[Grand Theft Auto III]]. The games still share the same engine. Information on the [[Grand Theft Auto III]] article might also be relevant to this game. 7972c39367476623e0790f537e0a82d765ee1bfe 0 3734 5379 2017-05-24T15:25:16Z JayFoxRox 2 Created page with "{{Game}} See https://github.com/aap/skygfx for a re-implementation of the Xbox graphics features for PC. This game shares some technical aspects with [[Grand Theft Auto III]]..." wikitext text/x-wiki {{Game}} See https://github.com/aap/skygfx for a re-implementation of the Xbox graphics features for PC. This game shares some technical aspects with [[Grand Theft Auto III]] and [[Grand Theft Auto: Vice City]]. == Reverse engineering by aap == aap has reverse engineered a lot for skygfx. Some of these files might be for [[Grand Theft Auto III]] or [[Grand Theft Auto: Vice City]]. They come from a folder for all GTA research === Shader used for cars === ==== Shader 1 ==== <pre> ; c14 0.0 0.5 1.0 2.0 ; c26 specular ; c27 spec, fresnel, 0.6, power dp4 r3.x, v0, c4 dp4 r3.y, v0, c5 dp4 r3.z, v0, c6 add r2.xyz, c12.xyzz, -r3.xyzz dp3 r0.x, v1.xyzz, c4.xyzz dp3 r2.w, r2.xyzz, r2.xyzz +mov oD0.w, c14.z dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz +rsq r1.w, r2.w mov r5.w, c14.w mul r2.xyz, r2.xyzz, r1.w ; r2: normalized view vector dp3 r0.w, r0.xyzz, r0.xyzz add r4.xyz, r2.xyzz, -c13.xyzz mov r11.w, c27.w +rsq r1.w, r0.w dp3 r4.w, r4.xyzz, r4.xyzz mul r0.xyz, r0.xyzz, r1.w ; r0: normalized world normal add r10.xyz, r2.xyzz, -c18.xyzz mul r11.z, c27.w, r5.w +rsq r1.w, r4.w dp3 r4.w, r10.xyzz, r10.xyzz add r9.yzw, r2.yyzx, -c19.yyzx mul r4.xyz, r4.xyzz, r1.w dp3 r4.w, r9.wyzz, r9.wyzz +rsq r1.w, r4.w add r8.xzw, r2.yyzx, -c20.yyzx dp3 r10.w, r4.xyzz, r0.xyzz mul r4.xyz, r10.xyzz, r1.w +rsq r1.x, r4.w dp3 r4.w, r8.wxzz, r8.wxzz add r10.xyz, r2.xyzz, -c21.xyzz max r11.x, r10.w, c14.x +rsq r1.w, r4.w dp3 r10.w, r4.xyzz, r0.xyzz mul r4.xyz, r9.wyzz, r1.x +lit r1.z, r11.xxxw dp3 r4.w, r10.xyzz, r10.xyzz max r11.y, r10.w, c14.x dp3 r11.x, r4.xyzz, r0.xyzz mul r4.xyz, r8.wxzz, r1.w +rsq r1.x, r4.w mul r8.xyz, r1.z, c26.xyzz ; direct light mul r11.w, c27.w, r5.w +lit r1.z, r11.yyyz max r11.y, r11.x, c14.x dp3 r11.x, r4.xyzz, r0.xyzz mul r4.xyz, r10.xyzz, r1.x dp4 r6.y, v0, c0 dp4 r6.z, v0, c1 dp4 r6.x, v0, c2 +dp4 oFog.x, v0, c2 mad r8.xyz, r1.z, c22.xyzz, r8.xyzz ; add extra 1 mul r11.w, c27.w, r5.w +lit r1.z, r11.yyyw max r11.y, r11.x, c14.x +mov oPos.xyz, r6.yzxw dp3 r11.x, r4.xyzz, r0.xyzz dp4 oPos.w, v0, c3 mad r8.xyz, r1.z, c23.xyzz, r8.xyzz ; add extra 2 mul r11.w, c27.w, r5.w +lit r1.z, r11.yyyw max r11.y, r11.x, c14.x +rcc r1.x, r12.w mad r8.xyz, r1.z, c24.xyzz, r8.xyzz ; add extra 3 mul oPos.xyz, r12.xyzz, c-38.xyzz +lit r1.z, r11.yyyw mad oD0.xyz, r1.z, c25.xyzz, r8.xyzz ; add extra 4 mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> ==== Shader 2 ==== <pre> ; v0 vertex ; v1 normal ; v2 tex coord ; c0 c1 c2 c3 worldviewproj matrix ; c4 c5 c6 world matrix ; c8 c9 texture matrix? ; c12 eye position ; c13 direct direction ; c14 0.0 0.5 1.0 2.0 ; c15 ambient ; c16 color ; c17 direct color ; c18 c19 c20 c21 extra directions ; c22 c23 c24 c25 extra colors ; c26 specular ; c27 spec, fresnel, 0.6, power dp3 r0.x, v1.xyzz, c4.xyzz dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz dp4 r3.x, v0, c4 dp3 r0.w, r0.xyzz, r0.xyzz +mov oT0.xy, v2.xyyy dp4 r3.y, v0, c5 dp4 r3.z, v0, c6 +rsq r1.w, r0.w add r2.xyz, c12.xyzz, -r3.xyzz mul r0.xyz, r0.xyzz, r1.w ; r0.xyz: normalized world-normal dp3 r2.w, r2.xyzz, r2.xyzz dp3 r0.w, r0.xyzz, -c13.xyzz dp3 r11.w, r0.xyzz, -c18.xyzz +rsq r1.w, r2.w max r0.w, r0.w, c14.x mul r2.xyz, r2.xyzz, r1.w ; r2: normalized world-view-vector dp3 r7.x, r2.xyzz, r0.xyzz mul r8.xyz, r0.w, c16.xyzz ; direct color max r5.x, r7.x, c14.x mov r11.xyz, c16 +mov oD0.w, c16 max r0.w, r11.w, c14.x dp3 r11.w, r0.xyzz, -c19.xyzz mul r6.x, r7.x, c14.w add r5.x, c14.z, -r5.x mad r8.xyz, c15.xyzz, r11.xyzz, r8.xyzz ; add ambient color mul r6.yzw, r0.w, c22.yyzx max r0.w, r11.w, c14.x dp3 r11.w, r0.xyzz, -c20.xyzz mad r11.xyz, r6.x, r0.xyzz, -r2.xyzz mul r6.x, r5.x, r5.x dp4 r10.y, v0, c0 dp4 r10.z, v0, c1 dp4 r10.x, v0, c2 +dp4 oFog.x, v0, c2 mad r8.xyz, r6.wyzz, c16.xyzz, r8.xyzz ; add extra light 1 mul r6.yzw, r0.w, c23.yyzx +mov oPos.xyz, r10.yzxw max r0.w, r11.w, c14.x dp3 r0.x, r0.xyzz, -c21.xyzz dp3 r11.x, r11.xyzz, c8.xyzz mul r6.x, r6.x, r6.x mov r11.w, c27.y dp4 oPos.w, v0, c3 mad r8.xyz, r6.wyzz, c16.xyzz, r8.xyzz ; add extra light 2 mul r6.yzw, r0.w, c24.yyzx +rcc r1.x, r12.w max r0.w, r0.x, c14.x dp3 r11.y, r11.xyzz, c9.xyzz mul r5.x, r5.x, r6.x add r7.x, c14.z, -r11.w mad r8.xyz, r6.wyzz, c16.xyzz, r8.xyzz ; add extra light 3 mul r6.xyz, r0.w, c25.xyzz mul r11.yw, r11.yyyx, c14.y mad r5.x, r7.x, r5.x, c27.y mul oPos.xyz, r12.xyzz, c-38.xyzz mad oD0.xyz, r6.xyzz, c16.xyzz, r8.xyzz ; add extra light 4 add oT1.xy, r11.wyyy, c14.y mul oD1, r5.x, c27.x mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> === Gloss shader === <pre> ; v0 vertex pos ; v2 tex coord ; c0-c3 matrix ; c4-c7 world matrix ; c12 eye position ; c13 light direction ; c26 pipeline data... ; c27 0, 0, 0, 8.0 ; c28 0, 0, 1, 1 ; c29 0.5, 0.5, 0.5, 0.5 dp4 r3.x, v0, c4 dp4 r3.y, v0, c5 dp4 r3.z, v0, c6 add r2.xyz, c12.xyzz, -r3.xyzz dp4 r6.x, v0, c0 dp3 r2.w, r2.xyzz, r2.xyzz +mov oT0, v2 dp4 r6.y, v0, c1 dp4 r6.z, v0, c2 +rsq r1.w, r2.w dp4 oPos.w, v0, c3 mul r2.xyz, r2.xyzz, r1.w ; r2: view vector +mov oPos.xyz, r6 mov r5.xyz, c28.xyzz +rcc r1.x, r12.w add r4.xyz, r2.xyzz, c13.xyzz mul oPos.xyz, r12.xyzz, c-38.xyzz dp3 r4.w, r4.xyzz, r4.xyzz +mov oFog.xyz, c26.xyzz mad oD0.xyz, r5.xyzz, c29.xyzz, c29.xyzz rsq r4.w, r4.w mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz mul r5.xyz, r4.xyzz, r4.w mad oD1.xyz, r5.xyzz, c29.xyzz, c29.xyzz </pre> <pre> typedef struct _D3DPixelShaderDef { DWORD PSAlphaInputs[8]; // Alpha inputs for each stage 00000000 00000000 00000000 cdc81010 DWORD PSFinalCombinerInputsABCD; // Final combiner inputs 130f0000 DWORD PSFinalCombinerInputsEFG; // Final combiner inputs (continued) 0d081c80 DWORD PSConstant0[8]; // C0 for each stage DWORD PSConstant1[8]; // C1 for each stage DWORD PSAlphaOutputs[8]; // Alpha output for each stage 00000000 00000000 00000000 000000c0 DWORD PSRGBInputs[8]; // RGB inputs for each stage 44450000 PS_REGISTER_V0 PS_INPUTMAPPING_EXPAND_NORMAL PS_REGISTER_V1 PS_INPUTMAPPING_EXPAND_NORMAL cdcd0000 PS_REGISTER_R1 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_R1 PS_INPUTMAPPING_SIGNED_IDENTITY cdcd0000 cdcd0000 DWORD PSCompareMode; // Compare modes for clipplane texture mode DWORD PSFinalCombinerConstant0; // C0 in final combiner DWORD PSFinalCombinerConstant1; // C1 in final combiner DWORD PSRGBOutputs[8]; // Stage 0 RGB outputs 000020d0 PS_REGISTER_R1 PS_COMBINEROUTPUT_AB_DOT_PRODUCT PS_REGISTER_ZERO 000000d0 PS_REGISTER_R1 PS_COMBINEROUTPUT_AB_MULTIPLY 000000d0 000000d0 DWORD PSCombinerCount; // Active combiner count (Stages 0-7) 00011104 4 PS_COMBINERCOUNT_MUX_MSB PS_COMBINERCOUNT_UNIQUE_C0 PS_COMBINERCOUNT_UNIQUE_C1 DWORD PSTextureModes; // Texture addressing modes 00000001 PS_TEXTUREMODES_PROJECT2D DWORD PSDotMapping; // Input mapping for dot product modes DWORD PSInputTexture; // Texture source for some texture modes DWORD PSC0Mapping; // Mapping of c0 regs to D3D constants DWORD PSC1Mapping; // Mapping of c1 regs to D3D constants DWORD PSFinalCombinerConstants; // Final combiner constant mapping } D3DPIXELSHADERDEF; </pre> === San Andreas Car Shaders === These shaders are picked depending on the following flags: <pre> 1 default 2 refl && !spec && lit 3 env && !lit env && !spec && lit 4 spec && lit 5 refl && spec && lit 6 env && spec && lit </pre> ==== Shader 1 ==== <pre> ; c0-3 matrix ; c4-6 world/normal matrix ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 dp4 oPos.w, v0, c3 dp3 r0.y, v1, c5 dp3 r0.x, v1, c4 +mov oFog.x, r12.w dp3 r0.z, v1, c6 mov r0.w, c20 +mov oT0, v2 mov r2, c15 dp3 r0.xyz, r0, -c16 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w max r0.xyz, r0.xyzz, c32.x min r0.xyz, r0.xyzz, c32.y mul r0.xyz, r0, c13 mul r0.xyz, r0, c20 mad oD0, r2, c21, r0 mad oPos.xyz, r12, r1.x, c-37 </pre> ==== Shader 2 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp3 r0.x, v1.xyzz, c4.xyzz dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz dp4 oPos.w, v0, c3 dp3 r11.x, r0.xyzz, c8.xyzz +mov oT0, v2 dp3 r11.y, r0.xyzz, c9.xyzz +rcc r1.x, r12.w dp3 r11.z, r0.xyzz, c10.xyzz +mov oFog.x, r12.w dp3 r0.w, r0.xyzz, -c16.xyzz dp3 r11.w, r11.xyzz, r11.xyzz max r0.x, r0.w, c32.x min r0.x, r0.x, c32.y +rsq r1.w, r11.w mov r10.y, c32.y mul r10.zw, r11.yyyx, r1.w dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 mul r0.xyz, r0.x, c13.xyzz mul r0.xyz, r0.xyzz, c20.xyzz mov r0.w, c20.w mov r2, c15 dp3 r11.x, r10.wzyy, c24.xyzz dp3 r11.y, r10.wzyy, c25.xyzz mov r11.z, c32.y mul oPos.xyz, r12.xyzz, c-38.xyzz mad oD0, r2, c21, r0 mov oT1, r11.xyzz mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> ==== Shader 3 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp3 r0.x, v1.xyzz, c4.xyzz dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz dp4 oPos.w, v0, c3 dp3 r0.w, r0.xyzz, -c16.xyzz +mov oT0, v2 mov r11.xz, v3.xxyy +rcc r1.x, r12.w max r0.x, r0.w, c32.x +mov oFog.x, r12.w mov r11.y, c32.y min r0.x, r0.x, c32.y dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 mul r0.xyz, r0.x, c13.xyzz mul r0.xyz, r0.xyzz, c20.xyzz mov r0.w, c20.w mov r2, c15 dp3 r10.w, r11.xzyy, c24.xyzz dp3 r10.y, r11.xzyy, c25.xyzz mov r10.z, v3.w mul oPos.xyz, r12.xyzz, c-38.xyzz mad oD0, r2, c21, r0 mov oT1, r10.wyzz mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> ==== Shader 4 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp4 r10.x, v0, c4 dp4 r10.y, v0, c5 dp4 r10.z, v0, c6 dp3 r11.x, v1.xyzz, c4.xyzz add r0.xyz, -r10.xyzz, c12.xyzz dp3 r11.y, v1.xyzz, c5.xyzz dp3 r11.w, r0.xyzz, r0.xyzz +mov oD0.w, c20.w dp3 r11.z, v1.xyzz, c6.xyzz ; r11.xyz world normal dp4 oPos.w, v0, c3 +rsq r1.x, r11.w dp3 r4.x, r11.xyzz, -c16.xyzz ; diffuse factor +mov oT0, v2 mul r0.xyz, r0.xyzz, r1.x ; r0.xyz view vector +rcc r1.y, r12.w mul r4.xyz, r4.x, c13.xyzz +mov oFog.x, r12.w add r2.xyz, r0.xyzz, -c16.xyzz mul r4.xyz, r4.xyzz, c20.xyzz dp3 r11.w, r2.xyzz, r2.xyzz mul r4.xyz, r4.xyzz, c32.z dp4 oPos.x, v0, c0 +rsq r1.x, r11.w dp4 oPos.y, v0, c1 mul r2.xyz, r2.xyzz, r1.x ; r2.xyz spec vector dp3 r3.x, r11.xyzz, r2.xyzz dp4 oPos.z, v0, c2 mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.xyz, r3.x, c14.xyzz mul r3.xyz, r3.xyzz, c22.xyzz mul r3.xyz, r3.xyzz, c32.z add r0.xyz, r4.xyzz, r3.xyzz mov r2.xyz, c15.xyzz mad r0.xyz, r2.xyzz, c21.xyzz, r0.xyzz mul oPos.xyz, r12.xyzz, c-38.xyzz mov oD0.xyz, r0 mad oPos.xyz, r12.xyzz, r1.y, c-37.xyzz </pre> ==== Shader 5 ==== <pre> dp3 r11.x, v1.xyzz, c4.xyzz dp3 r11.y, v1.xyzz, c5.xyzz dp3 r11.z, v1.xyzz, c6.xyzz dp4 r10.x, v0, c4 dp4 r10.y, v0, c5 dp4 r10.z, v0, c6 dp3 r4.x, r11.xyzz, -c16.xyzz +mov oT0, v2 add r0.xyz, -r10.xyzz, c12.xyzz dp3 r10.w, r11.xyzz, c8.xyzz dp3 r11.w, r0.xyzz, r0.xyzz +mov oD0.w, c20.w dp3 r10.y, r11.xyzz, c9.xyzz mul r4.xyz, r4.x, c13.xyzz +rsq r1.x, r11.w dp3 r10.z, r11.xyzz, c10.xyzz mul r0.xyz, r0.xyzz, r1.x add r2.xyz, r0.xyzz, -c16.xyzz dp3 r11.w, r10.wyzz, r10.wyzz dp3 r10.x, r2.xyzz, r2.xyzz mul r4.xyz, r4.xyzz, c20.xyzz +rsq r1.w, r11.w dp4 oPos.w, v0, c3 +rsq r1.x, r10.x mul r4.xyz, r4.xyzz, c32.z mul r2.xyz, r2.xyzz, r1.x +rcc r1.y, r12.w mul r10.zw, r10.yyyw, r1.w +mov oFog.x, r12.w dp3 r3.x, r11.xyzz, r2.xyzz mov r10.y, c32.y mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.xyz, r3.x, c14.xyzz mul r3.xyz, r3.xyzz, c22.xyzz mul r3.xyz, r3.xyzz, c32.z dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 add r0.xyz, r4.xyzz, r3.xyzz mov r2.xyz, c15.xyzz mad r0.xyz, r2.xyzz, c21.xyzz, r0.xyzz dp3 r11.w, r10.wzyy, c24.xyzz dp3 r11.y, r10.wzyy, c25.xyzz +mov oD0.xyz, r0 mov r11.z, c32.y mul oPos.xyz, r12.xyzz, c-38.xyzz mov oT1, r11.wyzz mad oPos.xyz, r12.xyzz, r1.y, c-37.xyzz </pre> ==== Shader 6 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord 1 ; v3 tex coord 2 ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp4 r10.x, v0, c4 dp4 r10.y, v0, c5 dp4 r10.z, v0, c6 dp3 r11.x, v1.xyzz, c4.xyzz add r0.xyz, -r10.xyzz, c12.xyzz dp3 r11.y, v1.xyzz, c5.xyzz dp3 r11.w, r0.xyzz, r0.xyzz +mov oD0.w, c20.w dp3 r11.z, v1.xyzz, c6.xyzz ; r11 normal dp4 oPos.w, v0, c3 +rsq r1.x, r11.w dp3 r4.x, r11.xyzz, -c16.xyzz +mov oT0, v2 mul r0.xyz, r0.xyzz, r1.x ; r0 view vector +rcc r1.y, r12.w mul r4.xyz, r4.x, c13.xyzz +mov oFog.x, r12.w add r2.xyz, r0.xyzz, -c16.xyzz mul r4.xyz, r4.xyzz, c20.xyzz dp3 r11.w, r2.xyzz, r2.xyzz mul r4.xyz, r4.xyzz, c32.z ; r4 diffuse term mov r10.zw, v3.yyyx +rsq r1.x, r11.w mov r10.y, c32.y mul r2.xyz, r2.xyzz, r1.x dp3 r3.x, r11.xyzz, r2.xyzz dp4 oPos.x, v0, c0 mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.xyz, r3.x, c14.xyzz mul r3.xyz, r3.xyzz, c22.xyzz mul r3.xyz, r3.xyzz, c32.z ; r3 specular term dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 add r0.xyz, r4.xyzz, r3.xyzz mov r2.xyz, c15.xyzz mad r0.xyz, r2.xyzz, c21.xyzz, r0.xyzz dp3 r11.w, r10.wzyy, c24.xyzz dp3 r11.y, r10.wzyy, c25.xyzz +mov oD0.xyz, r0 mov r11.z, v3.w mul oPos.xyz, r12.xyzz, c-38.xyzz mov oT1, r11.wyzz mad oPos.xyz, r12.xyzz, r1.y, c-37.xyzz </pre> === Shader used for grass === <pre> dp4 oPos.w, v0, c3 dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 +rcc r1.x, r12.w dp4 oPos.z, v0, c2 mov oFog.x, r12.w mul oPos.xyz, r12.xyzz, c-38.xyzz mov oT0, v1 mov oD0, c20 mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> === Pixelshader used for world objects (?) === <pre> typedef struct _D3DPixelShaderDef { DWORD PSAlphaInputs[8]; // Alpha inputs for each stage 14181010 PS_REGISTER_V0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_T0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY dcd11010 PS_REGISTER_R0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_C0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY DWORD PSFinalCombinerInputsABCD; // Final combiner inputs 130c0300 PS_REGISTER_FOG PS_CHANNEL_ALPHA PS_REGISTER_R0 PS_REGISTER_FOG DWORD PSFinalCombinerInputsEFG; // Final combiner inputs (continued) 00001c80 PS_REGISTER_R0 PS_CHANNEL_ALPHA PS_FINALCOMBINERSETTING_CLAMP_SUM DWORD PSConstant0[8]; // C0 for each stage ffffffff ffffffff DWORD PSConstant1[8]; // C1 for each stage DWORD PSAlphaOutputs[8]; // Alpha output for each stage 000000c0 PS_REGISTER_DISCARD PS_REGISTER_R0 000000c0 PS_REGISTER_DISCARD PS_REGISTER_R0 DWORD PSRGBInputs[8]; // RGB inputs for each stage 0804c149 PS_REGISTER_T0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_V0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_C0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_T1 PS_INPUTMAPPING_EXPAND_NORMAL cdcc20cc PS_REGISTER_R1 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_R0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_INVERT PS_REGISTER_R0 PS_INPUTMAPPING_SIGNED_IDENTITY DWORD PSCompareMode; // Compare modes for clipplane texture mode DWORD PSFinalCombinerConstant0; // C0 in final combiner DWORD PSFinalCombinerConstant1; // C1 in final combiner DWORD PSRGBOutputs[8]; // Stage 0 RGB outputs 000000cd PS_REGISTER_R1 PS_COMBINEROUTPUT_CD_MULTIPLY PS_REGISTER_R0 PS_COMBINEROUTPUT_AB_MULTIPLY 00000c00 PS_REGISTER_R0 PS_COMBINEROUTPUT_AB_CD_SUM DWORD PSCombinerCount; // Active combiner count (Stages 0-7) 00011102 2 PS_COMBINERCOUNT_MUX_MSB PS_COMBINERCOUNT_UNIQUE_C0 PS_COMBINERCOUNT_UNIQUE_C1 DWORD PSTextureModes; // Texture addressing modes 00000021 PS_TEXTUREMODES_PROJECT2D PS_TEXTUREMODES_PROJECT2D DWORD PSDotMapping; // Input mapping for dot product modes DWORD PSInputTexture; // Texture source for some texture modes DWORD PSC0Mapping; // Mapping of c0 regs to D3D constants ffffff00 DWORD PSC1Mapping; // Mapping of c1 regs to D3D constants ffffffff DWORD PSFinalCombinerConstants; // Final combiner constant mapping 000001ff } D3DPIXELSHADERDEF; </pre> === Xbox vertex formats === <pre> 0000XXXC 44443333 2222111 NNNNVVVV V N: 1 0x34 D3DVSDT_PBYTE3 2 0x35 D3DVSDT_SHORT3 3 0x31 D3DVSDT_NORMSHORT3 4 0x16 D3DVSDT_NORMPACKED3 default normal 5 0x32 D3DVSDT_FLOAT3 default position C: 0x40 D3DVSDT_D3DCOLOR T1-4: 1 0x24 D3DVSDT_PBYTE2 2 0x25 D3DVSDT_SHORT2 3 0x21 D3DVSDT_NORMSHORT2 4 0x16 D3DVSDT_NORMPACKED3 5 0x22 D3DVSDT_FLOAT2 default X: tangent? XXX is index of tex coord set - 1 that has the data anything 0x16 D3DVSDT_NORMPACKED3 0x16 D3DVSDT_NORMPACKED3 default: 0 position 2 normal 3 color 9-C tex coords skin: stream 0 0 position 3 normal 4 color 5-8 tex coords stream 1 1 weights D3DVSDT_PBYTEn 2 indices D3DVSDT_SHORTn normmap: 40320000 ; vertex 40160001 ; normal 40220002 ; tex coords 40160003 ; ? 40160004 ; ? 40320000 ; vertex 40160001 ; normal 40400002 ; color 40220003 ; tex coords 40160004 ; ? 40160005 ; ? 20000000h 40320000h ; vertex 5 40160001h ; normal 4 40220002h ; tex coord 40400004h ; color 5 0FFFFFFFFh </pre> b18fb4681b247813d44a1eb187248e511be968d4 5380 5379 2017-05-24T15:27:42Z JayFoxRox 2 wikitext text/x-wiki {{Game}} See https://github.com/aap/skygfx for a re-implementation of the Xbox graphics features for PC. This game shares some technical aspects with [[Grand Theft Auto III]] and [[Grand Theft Auto: Vice City]]. At least some parts of the games source code have been leaked into the public. The source code was illegally offered for sale in the past. == Reverse engineering by aap == aap has reverse engineered a lot for skygfx. Some of these files might be for [[Grand Theft Auto III]] or [[Grand Theft Auto: Vice City]]. They come from a folder for all GTA research === Shader used for cars === ==== Shader 1 ==== <pre> ; c14 0.0 0.5 1.0 2.0 ; c26 specular ; c27 spec, fresnel, 0.6, power dp4 r3.x, v0, c4 dp4 r3.y, v0, c5 dp4 r3.z, v0, c6 add r2.xyz, c12.xyzz, -r3.xyzz dp3 r0.x, v1.xyzz, c4.xyzz dp3 r2.w, r2.xyzz, r2.xyzz +mov oD0.w, c14.z dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz +rsq r1.w, r2.w mov r5.w, c14.w mul r2.xyz, r2.xyzz, r1.w ; r2: normalized view vector dp3 r0.w, r0.xyzz, r0.xyzz add r4.xyz, r2.xyzz, -c13.xyzz mov r11.w, c27.w +rsq r1.w, r0.w dp3 r4.w, r4.xyzz, r4.xyzz mul r0.xyz, r0.xyzz, r1.w ; r0: normalized world normal add r10.xyz, r2.xyzz, -c18.xyzz mul r11.z, c27.w, r5.w +rsq r1.w, r4.w dp3 r4.w, r10.xyzz, r10.xyzz add r9.yzw, r2.yyzx, -c19.yyzx mul r4.xyz, r4.xyzz, r1.w dp3 r4.w, r9.wyzz, r9.wyzz +rsq r1.w, r4.w add r8.xzw, r2.yyzx, -c20.yyzx dp3 r10.w, r4.xyzz, r0.xyzz mul r4.xyz, r10.xyzz, r1.w +rsq r1.x, r4.w dp3 r4.w, r8.wxzz, r8.wxzz add r10.xyz, r2.xyzz, -c21.xyzz max r11.x, r10.w, c14.x +rsq r1.w, r4.w dp3 r10.w, r4.xyzz, r0.xyzz mul r4.xyz, r9.wyzz, r1.x +lit r1.z, r11.xxxw dp3 r4.w, r10.xyzz, r10.xyzz max r11.y, r10.w, c14.x dp3 r11.x, r4.xyzz, r0.xyzz mul r4.xyz, r8.wxzz, r1.w +rsq r1.x, r4.w mul r8.xyz, r1.z, c26.xyzz ; direct light mul r11.w, c27.w, r5.w +lit r1.z, r11.yyyz max r11.y, r11.x, c14.x dp3 r11.x, r4.xyzz, r0.xyzz mul r4.xyz, r10.xyzz, r1.x dp4 r6.y, v0, c0 dp4 r6.z, v0, c1 dp4 r6.x, v0, c2 +dp4 oFog.x, v0, c2 mad r8.xyz, r1.z, c22.xyzz, r8.xyzz ; add extra 1 mul r11.w, c27.w, r5.w +lit r1.z, r11.yyyw max r11.y, r11.x, c14.x +mov oPos.xyz, r6.yzxw dp3 r11.x, r4.xyzz, r0.xyzz dp4 oPos.w, v0, c3 mad r8.xyz, r1.z, c23.xyzz, r8.xyzz ; add extra 2 mul r11.w, c27.w, r5.w +lit r1.z, r11.yyyw max r11.y, r11.x, c14.x +rcc r1.x, r12.w mad r8.xyz, r1.z, c24.xyzz, r8.xyzz ; add extra 3 mul oPos.xyz, r12.xyzz, c-38.xyzz +lit r1.z, r11.yyyw mad oD0.xyz, r1.z, c25.xyzz, r8.xyzz ; add extra 4 mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> ==== Shader 2 ==== <pre> ; v0 vertex ; v1 normal ; v2 tex coord ; c0 c1 c2 c3 worldviewproj matrix ; c4 c5 c6 world matrix ; c8 c9 texture matrix? ; c12 eye position ; c13 direct direction ; c14 0.0 0.5 1.0 2.0 ; c15 ambient ; c16 color ; c17 direct color ; c18 c19 c20 c21 extra directions ; c22 c23 c24 c25 extra colors ; c26 specular ; c27 spec, fresnel, 0.6, power dp3 r0.x, v1.xyzz, c4.xyzz dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz dp4 r3.x, v0, c4 dp3 r0.w, r0.xyzz, r0.xyzz +mov oT0.xy, v2.xyyy dp4 r3.y, v0, c5 dp4 r3.z, v0, c6 +rsq r1.w, r0.w add r2.xyz, c12.xyzz, -r3.xyzz mul r0.xyz, r0.xyzz, r1.w ; r0.xyz: normalized world-normal dp3 r2.w, r2.xyzz, r2.xyzz dp3 r0.w, r0.xyzz, -c13.xyzz dp3 r11.w, r0.xyzz, -c18.xyzz +rsq r1.w, r2.w max r0.w, r0.w, c14.x mul r2.xyz, r2.xyzz, r1.w ; r2: normalized world-view-vector dp3 r7.x, r2.xyzz, r0.xyzz mul r8.xyz, r0.w, c16.xyzz ; direct color max r5.x, r7.x, c14.x mov r11.xyz, c16 +mov oD0.w, c16 max r0.w, r11.w, c14.x dp3 r11.w, r0.xyzz, -c19.xyzz mul r6.x, r7.x, c14.w add r5.x, c14.z, -r5.x mad r8.xyz, c15.xyzz, r11.xyzz, r8.xyzz ; add ambient color mul r6.yzw, r0.w, c22.yyzx max r0.w, r11.w, c14.x dp3 r11.w, r0.xyzz, -c20.xyzz mad r11.xyz, r6.x, r0.xyzz, -r2.xyzz mul r6.x, r5.x, r5.x dp4 r10.y, v0, c0 dp4 r10.z, v0, c1 dp4 r10.x, v0, c2 +dp4 oFog.x, v0, c2 mad r8.xyz, r6.wyzz, c16.xyzz, r8.xyzz ; add extra light 1 mul r6.yzw, r0.w, c23.yyzx +mov oPos.xyz, r10.yzxw max r0.w, r11.w, c14.x dp3 r0.x, r0.xyzz, -c21.xyzz dp3 r11.x, r11.xyzz, c8.xyzz mul r6.x, r6.x, r6.x mov r11.w, c27.y dp4 oPos.w, v0, c3 mad r8.xyz, r6.wyzz, c16.xyzz, r8.xyzz ; add extra light 2 mul r6.yzw, r0.w, c24.yyzx +rcc r1.x, r12.w max r0.w, r0.x, c14.x dp3 r11.y, r11.xyzz, c9.xyzz mul r5.x, r5.x, r6.x add r7.x, c14.z, -r11.w mad r8.xyz, r6.wyzz, c16.xyzz, r8.xyzz ; add extra light 3 mul r6.xyz, r0.w, c25.xyzz mul r11.yw, r11.yyyx, c14.y mad r5.x, r7.x, r5.x, c27.y mul oPos.xyz, r12.xyzz, c-38.xyzz mad oD0.xyz, r6.xyzz, c16.xyzz, r8.xyzz ; add extra light 4 add oT1.xy, r11.wyyy, c14.y mul oD1, r5.x, c27.x mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> === Gloss shader === <pre> ; v0 vertex pos ; v2 tex coord ; c0-c3 matrix ; c4-c7 world matrix ; c12 eye position ; c13 light direction ; c26 pipeline data... ; c27 0, 0, 0, 8.0 ; c28 0, 0, 1, 1 ; c29 0.5, 0.5, 0.5, 0.5 dp4 r3.x, v0, c4 dp4 r3.y, v0, c5 dp4 r3.z, v0, c6 add r2.xyz, c12.xyzz, -r3.xyzz dp4 r6.x, v0, c0 dp3 r2.w, r2.xyzz, r2.xyzz +mov oT0, v2 dp4 r6.y, v0, c1 dp4 r6.z, v0, c2 +rsq r1.w, r2.w dp4 oPos.w, v0, c3 mul r2.xyz, r2.xyzz, r1.w ; r2: view vector +mov oPos.xyz, r6 mov r5.xyz, c28.xyzz +rcc r1.x, r12.w add r4.xyz, r2.xyzz, c13.xyzz mul oPos.xyz, r12.xyzz, c-38.xyzz dp3 r4.w, r4.xyzz, r4.xyzz +mov oFog.xyz, c26.xyzz mad oD0.xyz, r5.xyzz, c29.xyzz, c29.xyzz rsq r4.w, r4.w mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz mul r5.xyz, r4.xyzz, r4.w mad oD1.xyz, r5.xyzz, c29.xyzz, c29.xyzz </pre> <pre> typedef struct _D3DPixelShaderDef { DWORD PSAlphaInputs[8]; // Alpha inputs for each stage 00000000 00000000 00000000 cdc81010 DWORD PSFinalCombinerInputsABCD; // Final combiner inputs 130f0000 DWORD PSFinalCombinerInputsEFG; // Final combiner inputs (continued) 0d081c80 DWORD PSConstant0[8]; // C0 for each stage DWORD PSConstant1[8]; // C1 for each stage DWORD PSAlphaOutputs[8]; // Alpha output for each stage 00000000 00000000 00000000 000000c0 DWORD PSRGBInputs[8]; // RGB inputs for each stage 44450000 PS_REGISTER_V0 PS_INPUTMAPPING_EXPAND_NORMAL PS_REGISTER_V1 PS_INPUTMAPPING_EXPAND_NORMAL cdcd0000 PS_REGISTER_R1 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_R1 PS_INPUTMAPPING_SIGNED_IDENTITY cdcd0000 cdcd0000 DWORD PSCompareMode; // Compare modes for clipplane texture mode DWORD PSFinalCombinerConstant0; // C0 in final combiner DWORD PSFinalCombinerConstant1; // C1 in final combiner DWORD PSRGBOutputs[8]; // Stage 0 RGB outputs 000020d0 PS_REGISTER_R1 PS_COMBINEROUTPUT_AB_DOT_PRODUCT PS_REGISTER_ZERO 000000d0 PS_REGISTER_R1 PS_COMBINEROUTPUT_AB_MULTIPLY 000000d0 000000d0 DWORD PSCombinerCount; // Active combiner count (Stages 0-7) 00011104 4 PS_COMBINERCOUNT_MUX_MSB PS_COMBINERCOUNT_UNIQUE_C0 PS_COMBINERCOUNT_UNIQUE_C1 DWORD PSTextureModes; // Texture addressing modes 00000001 PS_TEXTUREMODES_PROJECT2D DWORD PSDotMapping; // Input mapping for dot product modes DWORD PSInputTexture; // Texture source for some texture modes DWORD PSC0Mapping; // Mapping of c0 regs to D3D constants DWORD PSC1Mapping; // Mapping of c1 regs to D3D constants DWORD PSFinalCombinerConstants; // Final combiner constant mapping } D3DPIXELSHADERDEF; </pre> === San Andreas Car Shaders === These shaders are picked depending on the following flags: <pre> 1 default 2 refl && !spec && lit 3 env && !lit env && !spec && lit 4 spec && lit 5 refl && spec && lit 6 env && spec && lit </pre> ==== Shader 1 ==== <pre> ; c0-3 matrix ; c4-6 world/normal matrix ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 dp4 oPos.w, v0, c3 dp3 r0.y, v1, c5 dp3 r0.x, v1, c4 +mov oFog.x, r12.w dp3 r0.z, v1, c6 mov r0.w, c20 +mov oT0, v2 mov r2, c15 dp3 r0.xyz, r0, -c16 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w max r0.xyz, r0.xyzz, c32.x min r0.xyz, r0.xyzz, c32.y mul r0.xyz, r0, c13 mul r0.xyz, r0, c20 mad oD0, r2, c21, r0 mad oPos.xyz, r12, r1.x, c-37 </pre> ==== Shader 2 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp3 r0.x, v1.xyzz, c4.xyzz dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz dp4 oPos.w, v0, c3 dp3 r11.x, r0.xyzz, c8.xyzz +mov oT0, v2 dp3 r11.y, r0.xyzz, c9.xyzz +rcc r1.x, r12.w dp3 r11.z, r0.xyzz, c10.xyzz +mov oFog.x, r12.w dp3 r0.w, r0.xyzz, -c16.xyzz dp3 r11.w, r11.xyzz, r11.xyzz max r0.x, r0.w, c32.x min r0.x, r0.x, c32.y +rsq r1.w, r11.w mov r10.y, c32.y mul r10.zw, r11.yyyx, r1.w dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 mul r0.xyz, r0.x, c13.xyzz mul r0.xyz, r0.xyzz, c20.xyzz mov r0.w, c20.w mov r2, c15 dp3 r11.x, r10.wzyy, c24.xyzz dp3 r11.y, r10.wzyy, c25.xyzz mov r11.z, c32.y mul oPos.xyz, r12.xyzz, c-38.xyzz mad oD0, r2, c21, r0 mov oT1, r11.xyzz mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> ==== Shader 3 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp3 r0.x, v1.xyzz, c4.xyzz dp3 r0.y, v1.xyzz, c5.xyzz dp3 r0.z, v1.xyzz, c6.xyzz dp4 oPos.w, v0, c3 dp3 r0.w, r0.xyzz, -c16.xyzz +mov oT0, v2 mov r11.xz, v3.xxyy +rcc r1.x, r12.w max r0.x, r0.w, c32.x +mov oFog.x, r12.w mov r11.y, c32.y min r0.x, r0.x, c32.y dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 mul r0.xyz, r0.x, c13.xyzz mul r0.xyz, r0.xyzz, c20.xyzz mov r0.w, c20.w mov r2, c15 dp3 r10.w, r11.xzyy, c24.xyzz dp3 r10.y, r11.xzyy, c25.xyzz mov r10.z, v3.w mul oPos.xyz, r12.xyzz, c-38.xyzz mad oD0, r2, c21, r0 mov oT1, r10.wyzz mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> ==== Shader 4 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp4 r10.x, v0, c4 dp4 r10.y, v0, c5 dp4 r10.z, v0, c6 dp3 r11.x, v1.xyzz, c4.xyzz add r0.xyz, -r10.xyzz, c12.xyzz dp3 r11.y, v1.xyzz, c5.xyzz dp3 r11.w, r0.xyzz, r0.xyzz +mov oD0.w, c20.w dp3 r11.z, v1.xyzz, c6.xyzz ; r11.xyz world normal dp4 oPos.w, v0, c3 +rsq r1.x, r11.w dp3 r4.x, r11.xyzz, -c16.xyzz ; diffuse factor +mov oT0, v2 mul r0.xyz, r0.xyzz, r1.x ; r0.xyz view vector +rcc r1.y, r12.w mul r4.xyz, r4.x, c13.xyzz +mov oFog.x, r12.w add r2.xyz, r0.xyzz, -c16.xyzz mul r4.xyz, r4.xyzz, c20.xyzz dp3 r11.w, r2.xyzz, r2.xyzz mul r4.xyz, r4.xyzz, c32.z dp4 oPos.x, v0, c0 +rsq r1.x, r11.w dp4 oPos.y, v0, c1 mul r2.xyz, r2.xyzz, r1.x ; r2.xyz spec vector dp3 r3.x, r11.xyzz, r2.xyzz dp4 oPos.z, v0, c2 mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.xyz, r3.x, c14.xyzz mul r3.xyz, r3.xyzz, c22.xyzz mul r3.xyz, r3.xyzz, c32.z add r0.xyz, r4.xyzz, r3.xyzz mov r2.xyz, c15.xyzz mad r0.xyz, r2.xyzz, c21.xyzz, r0.xyzz mul oPos.xyz, r12.xyzz, c-38.xyzz mov oD0.xyz, r0 mad oPos.xyz, r12.xyzz, r1.y, c-37.xyzz </pre> ==== Shader 5 ==== <pre> dp3 r11.x, v1.xyzz, c4.xyzz dp3 r11.y, v1.xyzz, c5.xyzz dp3 r11.z, v1.xyzz, c6.xyzz dp4 r10.x, v0, c4 dp4 r10.y, v0, c5 dp4 r10.z, v0, c6 dp3 r4.x, r11.xyzz, -c16.xyzz +mov oT0, v2 add r0.xyz, -r10.xyzz, c12.xyzz dp3 r10.w, r11.xyzz, c8.xyzz dp3 r11.w, r0.xyzz, r0.xyzz +mov oD0.w, c20.w dp3 r10.y, r11.xyzz, c9.xyzz mul r4.xyz, r4.x, c13.xyzz +rsq r1.x, r11.w dp3 r10.z, r11.xyzz, c10.xyzz mul r0.xyz, r0.xyzz, r1.x add r2.xyz, r0.xyzz, -c16.xyzz dp3 r11.w, r10.wyzz, r10.wyzz dp3 r10.x, r2.xyzz, r2.xyzz mul r4.xyz, r4.xyzz, c20.xyzz +rsq r1.w, r11.w dp4 oPos.w, v0, c3 +rsq r1.x, r10.x mul r4.xyz, r4.xyzz, c32.z mul r2.xyz, r2.xyzz, r1.x +rcc r1.y, r12.w mul r10.zw, r10.yyyw, r1.w +mov oFog.x, r12.w dp3 r3.x, r11.xyzz, r2.xyzz mov r10.y, c32.y mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.xyz, r3.x, c14.xyzz mul r3.xyz, r3.xyzz, c22.xyzz mul r3.xyz, r3.xyzz, c32.z dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 add r0.xyz, r4.xyzz, r3.xyzz mov r2.xyz, c15.xyzz mad r0.xyz, r2.xyzz, c21.xyzz, r0.xyzz dp3 r11.w, r10.wzyy, c24.xyzz dp3 r11.y, r10.wzyy, c25.xyzz +mov oD0.xyz, r0 mov r11.z, c32.y mul oPos.xyz, r12.xyzz, c-38.xyzz mov oT1, r11.wyzz mad oPos.xyz, r12.xyzz, r1.y, c-37.xyzz </pre> ==== Shader 6 ==== <pre> ; v0 position ; v1 normal ; v2 tex coord 1 ; v3 tex coord 2 ; c0-3 matrix ; c4-6 world/normal matrix ; c12 eye ; c13 direct color ; c14 0.7 0.7 0.7 1.0 ; c15 ambient color ; c16 light direction ; c20 diff mat ; c21 amb mat ; c22 spec mat ; c32 0, 1, 0.5, 2 ; c33 0.3 0.7 0.1 0.01 dp4 r10.x, v0, c4 dp4 r10.y, v0, c5 dp4 r10.z, v0, c6 dp3 r11.x, v1.xyzz, c4.xyzz add r0.xyz, -r10.xyzz, c12.xyzz dp3 r11.y, v1.xyzz, c5.xyzz dp3 r11.w, r0.xyzz, r0.xyzz +mov oD0.w, c20.w dp3 r11.z, v1.xyzz, c6.xyzz ; r11 normal dp4 oPos.w, v0, c3 +rsq r1.x, r11.w dp3 r4.x, r11.xyzz, -c16.xyzz +mov oT0, v2 mul r0.xyz, r0.xyzz, r1.x ; r0 view vector +rcc r1.y, r12.w mul r4.xyz, r4.x, c13.xyzz +mov oFog.x, r12.w add r2.xyz, r0.xyzz, -c16.xyzz mul r4.xyz, r4.xyzz, c20.xyzz dp3 r11.w, r2.xyzz, r2.xyzz mul r4.xyz, r4.xyzz, c32.z ; r4 diffuse term mov r10.zw, v3.yyyx +rsq r1.x, r11.w mov r10.y, c32.y mul r2.xyz, r2.xyzz, r1.x dp3 r3.x, r11.xyzz, r2.xyzz dp4 oPos.x, v0, c0 mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.x, r3.x, r3.x mul r3.xyz, r3.x, c14.xyzz mul r3.xyz, r3.xyzz, c22.xyzz mul r3.xyz, r3.xyzz, c32.z ; r3 specular term dp4 oPos.y, v0, c1 dp4 oPos.z, v0, c2 add r0.xyz, r4.xyzz, r3.xyzz mov r2.xyz, c15.xyzz mad r0.xyz, r2.xyzz, c21.xyzz, r0.xyzz dp3 r11.w, r10.wzyy, c24.xyzz dp3 r11.y, r10.wzyy, c25.xyzz +mov oD0.xyz, r0 mov r11.z, v3.w mul oPos.xyz, r12.xyzz, c-38.xyzz mov oT1, r11.wyzz mad oPos.xyz, r12.xyzz, r1.y, c-37.xyzz </pre> === Shader used for grass === <pre> dp4 oPos.w, v0, c3 dp4 oPos.x, v0, c0 dp4 oPos.y, v0, c1 +rcc r1.x, r12.w dp4 oPos.z, v0, c2 mov oFog.x, r12.w mul oPos.xyz, r12.xyzz, c-38.xyzz mov oT0, v1 mov oD0, c20 mad oPos.xyz, r12.xyzz, r1.x, c-37.xyzz </pre> === Pixelshader used for world objects (?) === <pre> typedef struct _D3DPixelShaderDef { DWORD PSAlphaInputs[8]; // Alpha inputs for each stage 14181010 PS_REGISTER_V0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_T0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY dcd11010 PS_REGISTER_R0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_C0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_IDENTITY DWORD PSFinalCombinerInputsABCD; // Final combiner inputs 130c0300 PS_REGISTER_FOG PS_CHANNEL_ALPHA PS_REGISTER_R0 PS_REGISTER_FOG DWORD PSFinalCombinerInputsEFG; // Final combiner inputs (continued) 00001c80 PS_REGISTER_R0 PS_CHANNEL_ALPHA PS_FINALCOMBINERSETTING_CLAMP_SUM DWORD PSConstant0[8]; // C0 for each stage ffffffff ffffffff DWORD PSConstant1[8]; // C1 for each stage DWORD PSAlphaOutputs[8]; // Alpha output for each stage 000000c0 PS_REGISTER_DISCARD PS_REGISTER_R0 000000c0 PS_REGISTER_DISCARD PS_REGISTER_R0 DWORD PSRGBInputs[8]; // RGB inputs for each stage 0804c149 PS_REGISTER_T0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_V0 PS_INPUTMAPPING_UNSIGNED_IDENTITY PS_REGISTER_C0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_T1 PS_INPUTMAPPING_EXPAND_NORMAL cdcc20cc PS_REGISTER_R1 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_R0 PS_INPUTMAPPING_SIGNED_IDENTITY PS_REGISTER_ZERO PS_INPUTMAPPING_UNSIGNED_INVERT PS_REGISTER_R0 PS_INPUTMAPPING_SIGNED_IDENTITY DWORD PSCompareMode; // Compare modes for clipplane texture mode DWORD PSFinalCombinerConstant0; // C0 in final combiner DWORD PSFinalCombinerConstant1; // C1 in final combiner DWORD PSRGBOutputs[8]; // Stage 0 RGB outputs 000000cd PS_REGISTER_R1 PS_COMBINEROUTPUT_CD_MULTIPLY PS_REGISTER_R0 PS_COMBINEROUTPUT_AB_MULTIPLY 00000c00 PS_REGISTER_R0 PS_COMBINEROUTPUT_AB_CD_SUM DWORD PSCombinerCount; // Active combiner count (Stages 0-7) 00011102 2 PS_COMBINERCOUNT_MUX_MSB PS_COMBINERCOUNT_UNIQUE_C0 PS_COMBINERCOUNT_UNIQUE_C1 DWORD PSTextureModes; // Texture addressing modes 00000021 PS_TEXTUREMODES_PROJECT2D PS_TEXTUREMODES_PROJECT2D DWORD PSDotMapping; // Input mapping for dot product modes DWORD PSInputTexture; // Texture source for some texture modes DWORD PSC0Mapping; // Mapping of c0 regs to D3D constants ffffff00 DWORD PSC1Mapping; // Mapping of c1 regs to D3D constants ffffffff DWORD PSFinalCombinerConstants; // Final combiner constant mapping 000001ff } D3DPIXELSHADERDEF; </pre> === Xbox vertex formats === <pre> 0000XXXC 44443333 2222111 NNNNVVVV V N: 1 0x34 D3DVSDT_PBYTE3 2 0x35 D3DVSDT_SHORT3 3 0x31 D3DVSDT_NORMSHORT3 4 0x16 D3DVSDT_NORMPACKED3 default normal 5 0x32 D3DVSDT_FLOAT3 default position C: 0x40 D3DVSDT_D3DCOLOR T1-4: 1 0x24 D3DVSDT_PBYTE2 2 0x25 D3DVSDT_SHORT2 3 0x21 D3DVSDT_NORMSHORT2 4 0x16 D3DVSDT_NORMPACKED3 5 0x22 D3DVSDT_FLOAT2 default X: tangent? XXX is index of tex coord set - 1 that has the data anything 0x16 D3DVSDT_NORMPACKED3 0x16 D3DVSDT_NORMPACKED3 default: 0 position 2 normal 3 color 9-C tex coords skin: stream 0 0 position 3 normal 4 color 5-8 tex coords stream 1 1 weights D3DVSDT_PBYTEn 2 indices D3DVSDT_SHORTn normmap: 40320000 ; vertex 40160001 ; normal 40220002 ; tex coords 40160003 ; ? 40160004 ; ? 40320000 ; vertex 40160001 ; normal 40400002 ; color 40220003 ; tex coords 40160004 ; ? 40160005 ; ? 20000000h 40320000h ; vertex 5 40160001h ; normal 4 40220002h ; tex coord 40400004h ; color 5 0FFFFFFFFh </pre> ef832c9119e0a945ded93519f38759505bbc3b40 0 3706 5385 5384 2017-05-24T16:15:42Z Codeasm 2480 /* Title ID */ added more publishers, modified LucasArts (No space) wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || BBC Multimedia |- | CC || |- | CK || |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || Enlight Software |- | EM || |- | ES || Eidos Interactive |- | FI || |- | FS || From Software |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || Infogrames |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || Konami |- | KO || |- | KU || |- | LA || LucasArts |- | LS || |- | MD || |- | ME || |- | MI || Microïds |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || SEGA |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || Vivendi Universal Games |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 334af82240a7ec4231b17adab1ef5de9cca2c757 5386 5385 2017-05-24T16:22:13Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || |- | AT || |- | AV || Activision |- | AY || |- | BA || |- | BM || BAM! Entertainment |- | BR || |- | BS || Bethesda Softworks |- | BU || |- | BV || |- | BW || BBC Multimedia |- | CC || |- | CK || |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || Enlight Software |- | EM || |- | ES || Eidos Interactive |- | FI || |- | FS || From Software |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || Infogrames |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || Konami |- | KO || |- | KU || |- | LA || LucasArts |- | LS || |- | MD || |- | ME || |- | MI || Microïds |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || SEGA |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || Vivendi Universal Games |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] b14082fda8fc9ee7580dd2fb945b80de0768e160 5387 5386 2017-05-24T18:06:05Z Codeasm 2480 /* Title ID */ Added more, but I dint add CK, SystemSoft Alpha or Kemco, not sure wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || |- | DX || |- | EA || Electronic Arts (EA) |- | EC || |- | EL || Enlight Software |- | EM || |- | ES || Eidos Interactive |- | FI || |- | FS || From Software |- | GE || |- | GV || |- | HE || |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || Infogrames |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || Konami |- | KO || |- | KU || |- | LA || LucasArts |- | LS || |- | MD || |- | ME || |- | MI || Microïds |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || SEGA |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || Vivendi Universal Games |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 8e8f4a1df3a246c8e7ff8320b530cd109da917b0 5392 5387 2017-05-24T18:41:18Z Codeasm 2480 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || Infogrames |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || Konami |- | KO || |- | KU || |- | LA || LucasArts |- | LS || |- | MD || |- | ME || |- | MI || Microïds |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || |- | SE || SEGA |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || Vivendi Universal Games |- | WE || |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 1a918d2861c872ffbe00c2fd9f0589d4eeca16a9 5393 5392 2017-05-24T18:51:25Z Codeasm 2480 /* Title ID */ Jay supplied 2 of these wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || Infogrames |- | IL || |- | IM || |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || Konami |- | KO || |- | KU || |- | LA || LucasArts |- | LS || |- | MD || |- | ME || |- | MI || Microïds |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || SCi Games |- | SE || SEGA |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || Vivendi Universal Games |- | WE || Wanadoo Edition |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] fca51545e56425098318e9e3b278ce1cab50d5bc 5396 5393 2017-05-24T21:56:17Z KaosEngineer 2482 OXM Disc XBE Title ID wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || |- | HU || |- | IA || |- | IF || |- | IG || Infogrames |- | IL || |- | IM || imagine Media |- | IO || |- | IP || |- | IX || |- | JA || |- | JW || |- | KB || |- | KI || |- | KN || Konami |- | KO || |- | KU || |- | LA || LucasArts |- | LS || |- | MD || |- | ME || |- | MI || Microïds |- | MJ || |- | MM || |- | MP || |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || |- | NK || |- | NL || |- | NM || |- | OX || |- | PC || |- | PL || |- | RA || |- | SA || |- | SC || SCi Games |- | SE || SEGA |- | SN || |- | SS || |- | SU || |- | SW || |- | TA || |- | TC || |- | TD || |- | TK || |- | TM || TDK Mediactive |- | TQ || |- | TS || |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || |- | VN || |- | VU || |- | VV || Vivendi Universal Games |- | WE || Wanadoo Edition |- | WR || |- | XI || |- | XK || |- | XL || |- | XM || |- | XP || |- | YB || |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 4a8ac5333119765617bb0c2a40f85a48cdc4afe8 5397 5396 2017-05-24T22:54:17Z Codeasm 2480 /* Title ID */ Im done for today (VU is missing, check the citation needed sections) all other publishers seems to be added now. wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive, Inc. [[http:\\phx.corporate-ir.net/phoenix.zhtml?c=69024&p=irol-newsArticle&ID=839612 press release]] |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || imagine Media |- | IO || Ignition entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed}} |- | KI || Kids Station Inc. {{citation needed}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE, Inc. (formerly Global A Entertainment){{citation needed}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D, Inc. |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Deep Silver {{citation needed}} |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster, Inc. |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || (Xbox kiosk disk?) {{citation needed}} |- | XL || (Xbox special bundled or live demo disk?) {{citation needed}} |- | XM || Evolved Games (Probably not, game "Malice") {{citation needed}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 46391520b1ebe12b3433123fa1bcd33798b1bcd5 5398 5397 2017-05-24T23:00:07Z Codeasm 2480 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive, Inc. [[http:\\phx.corporate-ir.net/phoenix.zhtml?c=69024&p=irol-newsArticle&ID=839612 press release]] |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || imagine Media {{citation needed}} |- | IO || Ignition entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed}} |- | KI || Kids Station Inc. {{citation needed}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE, Inc. (formerly Global A Entertainment){{citation needed}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D, Inc. |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Deep Silver {{citation needed}} |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster, Inc. |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || (Xbox kiosk disk?) {{citation needed}} |- | XL || (Xbox special bundled or live demo disk?) {{citation needed}} |- | XM || Evolved Games (Probably not, game "Malice") {{citation needed}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 8c9244c8cd2e7aa3c926756584b4b9234d45f313 5399 5398 2017-05-24T23:14:46Z Codeasm 2480 /* Title ID */ notes added... hope this is ok. wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive, Inc. [[http:\\phx.corporate-ir.net/phoenix.zhtml?c=69024&p=irol-newsArticle&ID=839612 press release]] |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || imagine Media {{citation needed|reason=this from official source? or could it be "international"?=May 2017}} |- | IO || Ignition entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}}}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE, Inc. (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}}|- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D, Inc. |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Deep Silver {{citation needed|reason=Who published this, also, TitleID doesnt seem to match any potencial publisher name|date=May 2017}} |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster, Inc. |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || (Xbox kiosk disk?) {{citation needed}} |- | XL || (Xbox special bundled or live demo disk?) {{citation needed}} |- | XM || Evolved Games (Probably not, game "Malice") {{citation needed}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] daf33557b2ab3cc2117c501e73d06cced87e1c0b 5400 5399 2017-05-24T23:16:12Z Codeasm 2480 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive, Inc. [[http:\\phx.corporate-ir.net/phoenix.zhtml?c=69024&p=irol-newsArticle&ID=839612 press release]] |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || imagine Media {{citation needed|reason=this from official source? or could it be "international"?=May 2017}} |- | IO || Ignition entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}}}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE, Inc. (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D, Inc. |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Deep Silver {{citation needed|reason=Who published this, also, TitleID doesnt seem to match any potencial publisher name|date=May 2017}} |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster, Inc. |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || (Xbox kiosk disk?) {{citation needed}} |- | XL || (Xbox special bundled or live demo disk?) {{citation needed}} |- | XM || Evolved Games (Probably not, game "Malice") {{citation needed}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 54c573090ff30df257dcfb07262a4b4430d86073 5402 5400 2017-05-24T23:23:02Z Codeasm 2480 /* Title ID */ IM is confirmed correct wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive, Inc. [[http:\\phx.corporate-ir.net/phoenix.zhtml?c=69024&p=irol-newsArticle&ID=839612 press release]] |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || imagine Media |- | IO || Ignition entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}}}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE, Inc. (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D, Inc. |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Deep Silver {{citation needed|reason=Who published this, also, TitleID doesnt seem to match any potencial publisher name|date=May 2017}} |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster, Inc. |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || (Xbox kiosk disk?) {{citation needed}} |- | XL || (Xbox special bundled or live demo disk?) {{citation needed}} |- | XM || Evolved Games (Probably not, game "Malice") {{citation needed}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 7b2a3269c8381fb2c071400aeb14b5f6c7e2b5eb 5403 5402 2017-05-25T02:14:27Z KaosEngineer 2482 Looks like VU and VV are both for Vivendi Universal Games. I see BloodRayne release US with MJ and EU with VV ID. http://www.mobygames.com/game/xbox/bloodrayne/release-info wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive, Inc. [[http:\\phx.corporate-ir.net/phoenix.zhtml?c=69024&p=irol-newsArticle&ID=839612 press release]] |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || imagine Media |- | IO || Ignition entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}}}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE, Inc. (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D, Inc. |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Deep Silver {{citation needed|reason=Who published this, also, TitleID doesnt seem to match any potencial publisher name|date=May 2017}} |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster, Inc. |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || (Xbox kiosk disk?) {{citation needed}} |- | XL || (Xbox special bundled or live demo disk?) {{citation needed}} |- | XM || Evolved Games (Probably not, game "Malice") {{citation needed}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] e75ae952c3d0ab71171be28f9e7c9697cbc1cc9e 0 3 5388 5310 2017-05-24T18:18:58Z JayFoxRox 2 /* History */ wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past] 05f1488e8383de977b596e637369e08887c5010b 0 3735 5389 2017-05-24T18:19:34Z JayFoxRox 2 Created page with "The visuals for the boot animation sequence were programmed by Pipeworks Software Inc. The audio programming was done by Brian Schmidt who was the audio design architect for..." wikitext text/x-wiki The visuals for the boot animation sequence were programmed by Pipeworks Software Inc. The audio programming was done by Brian Schmidt who was the audio design architect for the Xbox. * https://web.archive.org/web/20110930091539/http://www.pipeworks.com/products/games/detail/?game=151 * [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php Designing the Boot Sound for the Original Xbox (Brian Schmidt)] 01a20d2a871f3a1dfa36e83d216b522df7322e57 0 3736 5390 2017-05-24T18:30:37Z JayFoxRox 2 Created page with "In 2000, Pipeworks put together a demo to show off the potential computing power of the Xbox. The demo included Ping Pong, Japanese Garden and Desk Toys. It is not known if t..." wikitext text/x-wiki In 2000, Pipeworks put together a demo to show off the potential computing power of the Xbox. The demo included Ping Pong, Japanese Garden and Desk Toys. It is not known if this demo ever ran on a retail Xbox or if the demo was made available to the public.{{citation needed}} * https://web.archive.org/web/20110930091526/http://www.pipeworks.com/products/games/detail/?game=152 7f45044257d9c1fe7a5af59918069e8f09726dea 5391 5390 2017-05-24T18:31:07Z JayFoxRox 2 wikitext text/x-wiki In 2000, Pipeworks Software Inc. put together a demo to show off the potential computing power of the Xbox. The demo included Ping Pong, Japanese Garden and Desk Toys. It is not known if this demo ever ran on a retail Xbox or if the demo was made available to the public.{{citation needed}} * https://web.archive.org/web/20110930091526/http://www.pipeworks.com/products/games/detail/?game=152 f80a3c2dbc4f1183af7c8d2c1dc3d478aaeb2fcd 0 3700 5394 5374 2017-05-24T19:00:51Z JayFoxRox 2 /* Visible information on ring */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern with Xbox logo and some markings{{citation needed}} (opposite of the "XBOX" text without logo) == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] f675e26ebfd6baecb0d3494ec04fd23ace8bb871 5405 5394 2017-05-25T12:10:18Z Codeasm 2480 /* Visible information on ring */ Added ASPnnnn number information details I found. wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position, ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} (opposite of the "XBOX" text without logo) [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 63e22c737116d51159f17d1edb1ed8c0ba715079 5406 5405 2017-05-25T12:12:38Z Codeasm 2480 Layout wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || || Unknown |- |64 || u8[256] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 6acf4c699a227641883bec27e75b90ed51d0c89c 0 3737 5395 2017-05-24T20:33:45Z Codeasm 2480 Created page with "Panther Software ( Panther Software ) is the game brand name of Panther Software Co., Ltd. Many love simulation games are produced. Old female group . 1987 : Established..." wikitext text/x-wiki Panther Software ( Panther Software ) is the game brand name of Panther Software Co., Ltd. Many love simulation games are produced. Old female group . 1987 : Established Studio Pansar Limited Company 1991 : Reorganized into a stock company, changed company name to Panther software 1999 : Korean Panther Software, Interlex (US subsidiary) established 2000 : Changed company name to Interlex Corporation (Panther software name continues as brand name) 2005 : Interrex sells game division, independent as Panther software [ http:\\game.interlex.co.jp/ Interlex Corporation game] 819b1bd13022a2ba6e5d2b43e189f84410e0764b 1 3738 5401 2017-05-24T23:19:35Z Codeasm 2480 Created page with " == Citation needed == Some games have a citation needed note. ive taken the liberty to add a note where I thought this might help checking if a publisher was known for sure o..." wikitext text/x-wiki == Citation needed == Some games have a citation needed note. ive taken the liberty to add a note where I thought this might help checking if a publisher was known for sure or somewhat further research is needed. if needed, we could remove those notes to here or use another tag for those. I dont want to just drop a "citation needed" without any reasoning. I could have made an error and for these I shared why I am not sure about one. Feel free to remove a note and cintation needed if you find the publisher correct. --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 16:19, 24 May 2017 (PDT) 794c6ca1181cc2a7904fffd90fafaafee89fd47a 5433 5401 2017-05-26T00:05:58Z Mborgerson 2478 wikitext text/x-wiki FIXME: The file format details should be inlined into the wiki. == Citation needed == Some games have a citation needed note. ive taken the liberty to add a note where I thought this might help checking if a publisher was known for sure or somewhat further research is needed. if needed, we could remove those notes to here or use another tag for those. I dont want to just drop a "citation needed" without any reasoning. I could have made an error and for these I shared why I am not sure about one. Feel free to remove a note and cintation needed if you find the publisher correct. --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 16:19, 24 May 2017 (PDT) e22277553faf783862a7e9fad0dd7c530415e2ba 6 3739 5404 2017-05-25T12:01:59Z Codeasm 2480 Inner hologram of a Xbox demo disk showing the inner detail ASP5080 CC0 1.0 Universal (CC0 1.0) wikitext text/x-wiki Inner hologram of a Xbox demo disk showing the inner detail ASP5080 CC0 1.0 Universal (CC0 1.0) 4b5495ac21e2609b1fa1823359f5c962054d44b8 0 8 5407 5267 2017-05-25T16:43:46Z JayFoxRox 2 /* Texturing modes */ wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?) == Texturing modes == {|class="wikitable" !ID !Name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE<br>texcoord?{{citation needed}} |NONE |* |* |* |* | |- |0x01 |PS_TEXTUREMODES_PROJECT2D<br>tex |TEXTURE_2D |* |* |* |* | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |TEXTURE_3D |* |* |* |* | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |TEXTURE_CUBE_MAP_ARB |* |* |* |* | |- |0x04 |PS_TEXTUREMODES_PASSTHRU<br>texcoord?{{citation needed}} |PASS_THROUGH_NV |* |* |* |* | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE<br>texkill |CULL_FRAGMENT_NV |* |* |* |* | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP<br>texbem |OFFSET_TEXTURE_2D_NV | |* |* |* | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM<br>texbeml |OFFSET_TEXTURE_2D_SCALE_NV | |* |* |* | |- |0x08 |PS_TEXTUREMODES_BRDF<br>texm3x2tex | | | |* |* | |- |0x09 |PS_TEXTUREMODES_DOT_ST<br>texm3x2pad?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} | | |* |* | |- |0x0A |PS_TEXTUREMODES_DOT_ZW<br>texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} | | |* |* | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} | | |* | | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} | | | |* | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |DOT_PRODUCT_TEXTURE_3D_NV | | | |* | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |DOT_PRODUCT_REFLECT_CUBE_MAP_NV | | | |* | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR<br>texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV | |* |* |* | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB<br>texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV | |* |* |* | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |DOT_PRODUCT_NV | |* |* | | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV | | | |* | |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf e8db7d1a5624eca2fa7d97ffef39420db1af17ca 5408 5407 2017-05-25T16:46:02Z JayFoxRox 2 wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?) == Texturing modes == {|class="wikitable" !ID !Name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE<br>texcoord?{{citation needed}} |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D<br>tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU<br>texcoord?{{citation needed}} |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE<br>texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP<br>texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM<br>texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF<br>texm3x2tex | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST<br>texm3x2pad?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW<br>texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR<br>texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB<br>texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} |{{no}} |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf 8b94d15937d1f90d3ff8d25e10c247211dac9bec 5413 5408 2017-05-25T16:51:34Z JayFoxRox 2 wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?) == Texturing modes == {|class="wikitable" !ID !Name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE<br>texcoord?{{citation needed}} |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D<br>tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU<br>texcoord?{{citation needed}} |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE<br>texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP<br>texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM<br>texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF<br>texm3x2tex | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST<br>texm3x2pad?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW<br>texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR<br>texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB<br>texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf c3178ad7b3781ebefef820b583c852bf08a514d6 5415 5413 2017-05-25T16:57:29Z JayFoxRox 2 wikitext text/x-wiki The NV2A implements [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] (and [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2]?). Texturing modes are from: https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16 bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} == Texturing modes == {|class="wikitable" !ID !Name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE<br>texcoord?{{citation needed}} |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D<br>tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU<br>texcoord?{{citation needed}} |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE<br>texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP<br>texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM<br>texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF<br>texm3x2tex | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST<br>texm3x2pad?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW<br>texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR<br>texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB<br>texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf 2ef25d289e32ec146e70240eb34c76d0bd5566ab 5416 5415 2017-05-25T17:00:01Z JayFoxRox 2 wikitext text/x-wiki The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16 bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} == Texturing modes == {|class="wikitable" !ID !Name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE<br>texcoord?{{citation needed}} |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D<br>tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU<br>texcoord?{{citation needed}} |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE<br>texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP<br>texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM<br>texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF<br>texm3x2tex | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST<br>texm3x2pad?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW<br>texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR<br>texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB<br>texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf c11da5cba9e4a178e2fb58371f37993601ebb517 5417 5416 2017-05-25T17:11:22Z JayFoxRox 2 /* Data types */ wikitext text/x-wiki The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texturing modes == {|class="wikitable" !ID !Name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE<br>texcoord?{{citation needed}} |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D<br>tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU<br>texcoord?{{citation needed}} |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE<br>texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP<br>texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM<br>texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF<br>texm3x2tex | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST<br>texm3x2pad?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW<br>texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR<br>texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB<br>texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf 3b46b6b68259b93a7c58a80892a9dab087b68537 10 3740 5409 2017-05-25T16:47:38Z JayFoxRox 2 Created page with "style="height:100px; width:100px; text-align:center; background:#f8f" | &#x2713;" wikitext text/x-wiki style="height:100px; width:100px; text-align:center; background:#f8f" | &#x2713; c9c486d1a616902d9e24959d17f08b1e0e7f98d3 5410 5409 2017-05-25T16:49:03Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#9F9;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|Yes}}}<noinclude> |} {{documentation}} </noinclude> 8b2067e0b1a8f0d1f0814083bfe268c1a93927e3 5411 5410 2017-05-25T16:49:31Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#9F9;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|&#x2713;}}}<noinclude> |} {{documentation}} </noinclude> 14dfac36d52a176c397160f58f247c842c4d2105 5414 5411 2017-05-25T16:52:11Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#9F9;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|&#x2714;}}}<noinclude> |} {{documentation}} </noinclude> bb6e4edf56ac70faefb2c2d5bbf0d1e70148c66a 10 3741 5412 2017-05-25T16:51:07Z JayFoxRox 2 Created page with "<noinclude>{| class="wikitable" |- |</noinclude>style="background:#F99;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-no"|{{{1|&#x2717;}}}<noin..." wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#F99;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-no"|{{{1|&#x2717;}}}<noinclude> |} {{documentation}} </noinclude> 1d7348976277383cf4ec03551935ea879f8a41ef 0 3742 5418 2017-05-25T17:26:57Z JayFoxRox 2 Created page with "The EEPROM of the Xbox is connected via I²C and located on address 0x54. The EEPROM is 256 bytes and stores the settings of the Xbox. == Contents == {| class="wikitable" !..." wikitext text/x-wiki The EEPROM of the Xbox is connected via I²C and located on address 0x54. The EEPROM is 256 bytes and stores the settings of the Xbox. == Contents == {| class="wikitable" ! Offset !! Field !! Notes |- |} == Notes == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] 43079b72ebaa0b3ad78009cf222f8096123732ef 5419 5418 2017-05-25T17:27:51Z JayFoxRox 2 wikitext text/x-wiki The EEPROM of the Xbox is connected via I²C and located on address 0x54. The EEPROM is 256 bytes and stores the settings and other information about the Xbox. == Contents == {| class="wikitable" ! Offset !! Field !! Notes |- |} == Notes == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] dd719c1aba72ead787882caebf7d7e64b739788f 5423 5419 2017-05-25T19:01:36Z Espes 2484 wikitext text/x-wiki The EEPROM of the Xbox is connected via I²C and located on address 0x54. The EEPROM is 256 bytes and stores the settings and other information about the Xbox. The Chihiro EEPROM key is <code>7B 35 A8 B7 27 ED 43 7A A0 BA FB 8F A4 38 61 80</code> == Contents == {| class="wikitable" ! Offset !! Field !! Notes |- |} == Notes == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] cd9748bde7af1822693537df3dd35ac0ebf24f9b 5424 5423 2017-05-25T19:06:36Z Mborgerson 2478 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. The Chihiro EEPROM key is <code>7B 35 A8 B7 27 ED 43 7A A0 BA FB 8F A4 38 61 80</code> == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x5C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == How to Dump Your EEPROM == === Software Dump === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Dump === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an [https://www.totalphase.com/products/aardvark-i2cspi/ I2C/SPI USB host adapter], build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface already. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. == Further Reading == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 2def1512c95958ddb31d8a0e17c825b66b4902e8 5425 5424 2017-05-25T19:08:48Z Mborgerson 2478 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. The Chihiro EEPROM key is <code>7B 35 A8 B7 27 ED 43 7A A0 BA FB 8F A4 38 61 80</code> == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x5C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an [https://www.totalphase.com/products/aardvark-i2cspi/ I2C/SPI USB host adapter], build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface already. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. == Further Reading == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] ec38ccd34c07ba52ba4ed054207f12621994b896 5426 5425 2017-05-25T19:32:05Z Mborgerson 2478 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. The Chihiro EEPROM key is <code>7B 35 A8 B7 27 ED 43 7A A0 BA FB 8F A4 38 61 80</code> == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x5C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == Further Reading == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] c76160f2a1c1b3e6beb9d0a1ffbef324fc7637bb 5428 5426 2017-05-25T20:19:48Z Mborgerson 2478 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. The Chihiro EEPROM key is <code>7B 35 A8 B7 27 ED 43 7A A0 BA FB 8F A4 38 61 80</code> == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x5C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == Further Reading == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] ff330df890b39e9d4acc3bd6bc1b8487386b46f9 0 3670 5420 5221 2017-05-25T17:39:57Z JayFoxRox 2 wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. For 1.1 Microsoft switched to a TEA algorithm. The code on the chips is largely the same, but for those two differences{{citation needed}}. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[MCPX ROM Dumping]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xqemu-tools/blob/master/disassemble-mcpx.sh disassemble-mcpx.sh: A bash-script to disassemble/annotate MCPX 1.0 dumps] 07558ed16d7199aed28eba41e73d9aa8c90b7a7d 0 3675 5421 5016 2017-05-25T18:23:12Z JayFoxRox 2 wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] c133f385858a6c66bd6f4a78c53eb22ab6e3a303 0 1 5422 5337 2017-05-25T18:52:06Z Mborgerson 2478 wikitext text/x-wiki {{:Main Page/Header}} Development * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] [[Xbox]] * [[Hardware revisions]] ** [[CPU|CPU (Custom Pentium 3 733 MHz)]] ** [[Memory]] ** [[BIOS]] ** [[MCPX]] [[MCPX ROM|(ROM)]] ** [[DVD Drive]] ** [[Hard Drive]] ** [[USB]] ** [[EEPROM]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[Xbox Debug Monitor]] * [[Operating System]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] [http://segaretro.org/Sega_Chihiro Chihiro] * [[Chihiro-Tools]] * [[Chihiro-Launcher]] [[:Category:Games|Games]] * [[Engine List]] Emulation * [[Emulators]] {{:Main Page/Xbox Live}} Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 4b471e58a08f54cdb874a633c48a9f97172dff18 5431 5422 2017-05-25T23:46:40Z Mborgerson 2478 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet]] * [http://segaretro.org/Sega_Chihiro Chihiro] == Firmware/Kernel == * [[MCPX ROM]] * [[BIOS]] * [[Kernel]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] * [[Chihiro-Tools]] * [[Xbox Debug Monitor]] * [[Chihiro-Launcher]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 133e4c356a6d5f666f453d72989b1ccb2554820b 5432 5431 2017-05-25T23:53:01Z Mborgerson 2478 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] * [http://segaretro.org/Sega_Chihiro Chihiro] == Firmware/Kernel == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] * [[Chihiro-Tools]] * [[Xbox Debug Monitor]] * [[Chihiro-Launcher]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] cd6d3ac6cca5cfbce23f837f9e55b421eeb2ac41 1 3743 5427 2017-05-25T19:49:27Z JayFoxRox 2 Wondering about Chihiro EEPROM key wikitext text/x-wiki == Chihiro key == Wouldn't we consider crypto-keys "dodgy shit"? Why is this here? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:49, 25 May 2017 (PDT) 6be210ae454fe9a0517a18ed06b184bcae959346 0 3689 5429 5329 2017-05-25T21:11:20Z Furon 2477 /* adminpw (Set administrator password) */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a command followed by <CR><LF> or <CR><NUL>. A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>setsystime</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>keyxchg</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {| class="wikitable" ! 4039+ | <code>adminpw none</code> | MANAGE |} Clear the administrator password. {| class="wikitable" ! 4039+ | <code>adminpw passwd=QWORD</code> | MANAGE |} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {| class="wikitable" ! 3944-4432 | width="99%" | <span style="font: 14px monospace">getfile name=</span> |- ! 4531+ | <span style="font: 14px monospace">getfile name= [offset= size=]</span> |} ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 53c9990af62dce96a9450f211e38a921d3309df0 1 3744 5430 2017-05-25T23:27:10Z Mborgerson 2478 Created page with "The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. Also we need a wiki logo. See [https://commons.wikimedia...." wikitext text/x-wiki The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. 0f584a60366d776240743bd23c55c010539e11cd 1 3745 5434 2017-05-26T00:06:25Z Mborgerson 2478 Created page with "FIXME: Inline details about FATX" wikitext text/x-wiki FIXME: Inline details about FATX 0f992837687d4b71fea3c649c73339ff7e522e62 1 3744 5435 5430 2017-05-26T00:08:11Z Mborgerson 2478 wikitext text/x-wiki The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. -MB I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time. It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. -MB 963c6ef8ea53b070ce36d18f3b5fa28555905053 5436 5435 2017-05-26T00:08:43Z Mborgerson 2478 wikitext text/x-wiki The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. -MB I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. -MB b3fe8c4524fba1a02a33233eda9d1b43541dece6 5437 5436 2017-05-26T00:10:43Z Mborgerson 2478 wikitext text/x-wiki The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) 03584f01b8256aa93c233693884fbcec8d8683e4 5445 5437 2017-05-26T08:34:06Z JayFoxRox 2 wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) f3b6255d4b46db52a0909a461d8c775c64769d9d 5446 5445 2017-05-26T08:35:33Z JayFoxRox 2 wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) a5b2177a9c47b550c3b0cb4613a2d4bc9bd94438 1 3745 5438 5434 2017-05-26T00:11:00Z Mborgerson 2478 wikitext text/x-wiki FIXME: Inline details about FATX [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:11, 25 May 2017 (PDT) 4f55de07f83549ad6715f92fff743af089898dba 1 3738 5439 5433 2017-05-26T00:11:05Z Mborgerson 2478 wikitext text/x-wiki FIXME: The file format details should be inlined into the wiki. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:11, 25 May 2017 (PDT) == Citation needed == Some games have a citation needed note. ive taken the liberty to add a note where I thought this might help checking if a publisher was known for sure or somewhat further research is needed. if needed, we could remove those notes to here or use another tag for those. I dont want to just drop a "citation needed" without any reasoning. I could have made an error and for these I shared why I am not sure about one. Feel free to remove a note and cintation needed if you find the publisher correct. --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 16:19, 24 May 2017 (PDT) c06834c07e5f4e978f1296898c1389ee56c8b0cc 1 3746 5440 2017-05-26T04:15:07Z Furon 2477 Created page with "== Crypto notes == The hash function used throughout XBDM is a [https://en.wikipedia.org/wiki/One-way_compression_function#Matyas.E2.80.93Meyer.E2.80.93Oseas Matyas–Meyer..." wikitext text/x-wiki == Crypto notes == The hash function used throughout XBDM is a [https://en.wikipedia.org/wiki/One-way_compression_function#Matyas.E2.80.93Meyer.E2.80.93Oseas Matyas–Meyer–Oseas one-way compression function] built on what appears to be a homegrown [https://en.wikipedia.org/wiki/Feistel_cipher balanced Feistel cipher] with a 64-bit key, 64-bit blocks, and 16 rounds. I can't find references to any of the constants online. b4f2124a4d6c44f1ea8b6042d4680e14a6e49df3 0 3706 5441 5403 2017-05-26T07:56:16Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media, Inc. |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co., Ltd. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co Ltd |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co., Ltd |- | GV || Groove Games |- | HE || Tru Blu Entertainment division of Home Entertainment Suppliers |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive, Inc. [[http:\\phx.corporate-ir.net/phoenix.zhtml?c=69024&p=irol-newsArticle&ID=839612 press release]] |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || imagine Media |- | IO || Ignition entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}}}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE, Inc. (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D, Inc. |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Deep Silver {{citation needed|reason=Who published this, also, TitleID doesnt seem to match any potencial publisher name|date=May 2017}} |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster, Inc. |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || (Xbox kiosk disk?) {{citation needed}} |- | XL || (Xbox special bundled or live demo disk?) {{citation needed}} |- | XM || Evolved Games (Probably not, game "Malice") {{citation needed}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games, formerly Zoo Digital Publishing |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] bbddef43bd611f959b9ed8438b0356bbd250637e 5444 5441 2017-05-26T08:31:59Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 83b0eedb1717918edf84c45ea124a47afbedc517 10 3747 5442 2017-05-26T07:59:41Z JayFoxRox 2 Created page with "^{''<span title="This information is incomplete and needs more work or research">FIXME</span>''}<noinclude> ==Documentation== ''<nowiki>{{FIXME}}</nowiki>'' * Tells a..." wikitext text/x-wiki ^{''<span title="This information is incomplete and needs more work or research">FIXME</span>''}<noinclude> ==Documentation== ''<nowiki>{{FIXME}}</nowiki>'' * Tells a visitors that something is missing. * Displays: ^{''<span title="This information is incomplete and needs more work or research">FIXME</span>''}<noinclude> * If you see FIXME somewhere, try to add the missing information to it <noinclude> [[Category:Templates|{{PAGENAME}}]]</noinclude> 7a35f1721fa378aae81d70093679f44e013ea711 5443 5442 2017-05-26T08:00:19Z JayFoxRox 2 wikitext text/x-wiki ^{''[<span title="This information is incomplete and needs more work or research">FIXME</span>]''}<noinclude> ==Documentation== ''<nowiki>{{FIXME}}</nowiki>'' * Tells a visitors that something is missing. * Displays: ^{''[<span title="This information is incomplete and needs more work or research">FIXME</span>]''}<noinclude> * If you see FIXME somewhere, try to add the missing information to it <noinclude> [[Category:Templates|{{PAGENAME}}]]</noinclude> 91e5add4503cfbc4c2f38473ee2dbc719e071c8a 0 3748 5447 2017-05-26T08:45:49Z JayFoxRox 2 Created page with "The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the co..." wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 2a739ae19045a2757108c3db8af6892054293a00 5448 5447 2017-05-26T08:46:14Z JayFoxRox 2 JayFoxRox moved page [[SMC]] to [[System Management Controller]] wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 2a739ae19045a2757108c3db8af6892054293a00 5451 5448 2017-05-26T10:30:09Z JayFoxRox 2 /* Revisions */ wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 * P2L{{citation needed}} 42ffd315cb87131167dfd8b2141f7cad7f281f2f 5452 5451 2017-05-26T10:32:11Z JayFoxRox 2 wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. It is connected via I²C and located on address 0x10. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 * P2L{{citation needed}} a6ad692c59159f967fdb2a7c1ea8643afa9768b6 0 3749 5449 2017-05-26T08:46:14Z JayFoxRox 2 JayFoxRox moved page [[SMC]] to [[System Management Controller]] wikitext text/x-wiki #REDIRECT [[System Management Controller]] b09fb9f62bc88871884ab7ef5fe0027cb6e3dc08 0 1 5450 5432 2017-05-26T08:46:37Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] * [http://segaretro.org/Sega_Chihiro Chihiro] == Firmware/Kernel == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] * [[Chihiro-Tools]] * [[Xbox Debug Monitor]] * [[Chihiro-Launcher]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] ef55201cfe3fc6f429a7a830fa391ef47990cb17 5453 5450 2017-05-26T10:34:31Z JayFoxRox 2 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] * [http://segaretro.org/Sega_Chihiro Chihiro] == Firmware/Kernel == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] * [[Chihiro-Tools]] * [[Xbox Debug Monitor]] * [[Chihiro-Launcher]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] a98519677070374e8f88385841fd22f7686f49b7 5455 5453 2017-05-26T11:04:37Z JayFoxRox 2 /* Firmware/Kernel */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] * [http://segaretro.org/Sega_Chihiro Chihiro] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] * [[Chihiro-Tools]] * [[Xbox Debug Monitor]] * [[Chihiro-Launcher]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] c431e2925e1f47e2ee6d84bd78d08438cf7ce61c 5458 5455 2017-05-26T11:22:51Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] * [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] 107e88ddcfd4477a045b42bcdfa6796f71ee1066 5462 5458 2017-05-26T17:29:00Z JayFoxRox 2 /* Development Kits and Tools */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] == Getting started == * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] * [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Combating_spam Learn how to combat spam on your wiki] eda23c9a4b1f57689cb12a2509407c12010d7728 5465 5462 2017-05-26T18:42:21Z Espes 2484 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware revisions]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] d1fe98aef65972a3b1083f1ed750461842475c25 5469 5465 2017-05-26T21:07:21Z Mborgerson 2478 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] 9d32768e60bf9d3ef4cf7d5379b7dd6449a42d0f 5470 5469 2017-05-26T21:08:16Z Mborgerson 2478 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] d7b36697eea651a832e8a69250497a5c9d68b8a0 5473 5470 2017-05-26T21:08:43Z Mborgerson 2478 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] 6cf6afbd0bb47fe0288bb12ab76fca00d765cfbf 5476 5473 2017-05-26T21:09:02Z Mborgerson 2478 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] 9d32768e60bf9d3ef4cf7d5379b7dd6449a42d0f 5477 5476 2017-05-26T21:10:29Z Mborgerson 2478 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[Power Supply]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] 954af41e2e8d2947fc65e8411a6ff0c3615e450c 0 3750 5454 2017-05-26T10:35:52Z JayFoxRox 2 Created page with "== Conexant == == Focus == == xcalibur ==" wikitext text/x-wiki == Conexant == == Focus == == xcalibur == fc4f5d702053f9310383d081c8ef1ed9a930e463 5474 5454 2017-05-26T21:08:54Z Mborgerson 2478 Mborgerson moved page [[Video encoder]] to [[Video Encoder]] wikitext text/x-wiki == Conexant == == Focus == == xcalibur == fc4f5d702053f9310383d081c8ef1ed9a930e463 0 3751 5456 2017-05-26T11:16:05Z JayFoxRox 2 Created page with "== MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack ===..." wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20# hack === Uses a legacy x86 feature. === TEA attack === TEA can not be used as a hash. == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] cb3b632a86d2a48df856e08270fbe3230e77fef8 5460 5456 2017-05-26T11:26:40Z JayFoxRox 2 wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20# hack === Uses a legacy x86 feature. === TEA attack === TEA can not be used as a hash. == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] ff4f26e093c6436e9a123ded259e8c1510eab3fc 0 3752 5457 2017-05-26T11:19:45Z JayFoxRox 2 Created page with "== Also see == * [https://github.com/JayFoxRox/Chihiro-Tools Set of tools to extract MAME Chihiro dumps] * [https://github.com/JayFoxRox/Chihiro-Launcher A tool to load some..." wikitext text/x-wiki == Also see == * [https://github.com/JayFoxRox/Chihiro-Tools Set of tools to extract MAME Chihiro dumps] * [https://github.com/JayFoxRox/Chihiro-Launcher A tool to load some Chihiro games on the original Xbox] d73f4ca35c699b08e79a24e699eb8bd519720fc8 5459 5457 2017-05-26T11:24:03Z JayFoxRox 2 wikitext text/x-wiki == Also see == * [http://segaretro.org/Sega_Chihiro Chihiro information at Sega Retro] * [https://github.com/JayFoxRox/Chihiro-Tools Set of tools to extract MAME Chihiro dumps] * [https://github.com/JayFoxRox/Chihiro-Launcher A tool to load some Chihiro games on the original Xbox] d6d16bc016c31050c99cf3d5b48e16d87a8f047a 0 3753 5461 2017-05-26T12:18:23Z JayFoxRox 2 Redirected page to [[Xbox Input Devices]] wikitext text/x-wiki #REDIRECT [[Xbox_Input_Devices]] 54a66ce294fad57ee8d384b2380535f879a16432 0 3703 5463 5252 2017-05-26T18:38:21Z Espes 2484 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |[[XQEMU]] | |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |HLE |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |HLE |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |Unknown |HLE |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |LLE/HLE Hybrid |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |HLE |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE |[http://mamedev.org/ MAME/Chihiro] | |MAME Team |Windows/Linux/Mac/Others | | |- |Unknown |LLE |[http://mamedev.org/ MAME/Xbox] | |MAME Team |Windows/Linux/Mac/Others | |Does this exist yet?{{citation needed}} |- |Dead |Unknown |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead | |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 33d64110980a53b9d6cac15f574043e00c36db54 0 3688 5464 5074 2017-05-26T18:39:20Z Espes 2484 wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> This is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. <hr> This wiki will become the place for all remaining Xbox projects to come together. If you are interested in helping or discussing this, please come chat with us in #xqemu on freenode or Cxbx-Reloaded/Lobby on gitter.im. </div> </div> fa1d803fcf12900900feae760c8c5c5c98f2cfae 0 3671 5466 5076 2017-05-26T19:36:52Z JayFoxRox 2 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors (there are 4 of them) and also the USB, PCI, IDE, etc, controllers{{citation needed}}. The MCPX is also the home to the secret [[MCPX ROM]]. af98b761499c9c767e2bbe3b37ede9441a64d8bc 0 3 5467 5388 2017-05-26T20:13:38Z Mborgerson 2478 /* History */ wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video) 6541bb61b452288fda8ef6f2c516c4345b807e06 5468 5467 2017-05-26T20:13:46Z Mborgerson 2478 wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] f24cc30ace023e8754d4c8bb645e03124339b85d 0 3669 5471 5018 2017-05-26T21:08:34Z Mborgerson 2478 Mborgerson moved page [[Hardware revisions]] to [[Hardware Revisions]] wikitext text/x-wiki There are 7 Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [[Video Chip]] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * BIOS no longer flashable * Removed data and power lines from LPC port * Xcalibur video chip == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN TWWFF L is the production line NNNNNN is the number produced that week Y is the last digit of the production year WW is the number of the week FF is the factory code Note, this table contradicts the previous table. {| ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} {| ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 223490e3ac91eeae7b1292510429c2aa37c5e403 5484 5471 2017-05-26T21:23:24Z Mborgerson 2478 wikitext text/x-wiki There are 7 Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [[Video Encoder]] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * BIOS no longer flashable * Removed data and power lines from LPC port * Xcalibur video chip == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN TWWFF L is the production line NNNNNN is the number produced that week Y is the last digit of the production year WW is the number of the week FF is the factory code Note, this table contradicts the previous table. {| ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} {| ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 6dd2e43d62fcd9368f6a925abd2ab837deea6bf8 0 3754 5472 2017-05-26T21:08:34Z Mborgerson 2478 Mborgerson moved page [[Hardware revisions]] to [[Hardware Revisions]] wikitext text/x-wiki #REDIRECT [[Hardware Revisions]] 706febcdd24de8e260670dc71f7ef383a6a41fee 0 3756 5478 2017-05-26T21:14:27Z Mborgerson 2478 Created page with "[[File:800px-Xbox-Motherboard-BR.jpg]]" wikitext text/x-wiki [[File:800px-Xbox-Motherboard-BR.jpg]] cbd5d72c606e8f809ce173c0728a387bd6b0283f 5479 5478 2017-05-26T21:15:04Z Mborgerson 2478 wikitext text/x-wiki [[File:Xbox-Motherboard-BR.jpg|Xbox-Motherboard-BR]] 3a05aa5667548fafd93ab3e7dfedc610952d798b 5481 5479 2017-05-26T21:18:33Z Mborgerson 2478 wikitext text/x-wiki [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Motherboard]] ea6525719f7386032876da01556783fd42d58b60 5482 5481 2017-05-26T21:20:27Z Mborgerson 2478 wikitext text/x-wiki [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox 1.0 Motherboard]] 5f0effd12298d4be4eb0c347844845e66dc52cb9 5483 5482 2017-05-26T21:20:41Z Mborgerson 2478 wikitext text/x-wiki [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] e6e05dfa9b983845547bc4e51f512f3fc7af92f0 6 3757 5480 2017-05-26T21:16:34Z Mborgerson 2478 English: The motherboard for the Xbox, a sixth-generation gaming console made by Microsoft that was first released in 2001. The Xbox was Microsoft's first foray into the gaming console market, and was followed by the Xbox 360 in 2005. The console is no... wikitext text/x-wiki English: The motherboard for the Xbox, a sixth-generation gaming console made by Microsoft that was first released in 2001. The Xbox was Microsoft's first foray into the gaming console market, and was followed by the Xbox 360 in 2005. The console is notable for having a built-in hard drive, breakaway controller dongles and an Ethernet port to support Microsoft's online gaming service, Xbox Live. The motherboard for the Xbox contains a custom 32-bit, 733 MHz Intel Pentium III CPU. It has 64 MB of DDR memory and a 233 MHz Nvidia GPU. Source: https://commons.wikimedia.org/wiki/File:Xbox-Motherboard-BR.jpg Author: Evan-Amos License: Public Domain 7bfc8b4f19be7ae38575a0acc8764ab525c0a4e0 0 3689 5485 5429 2017-05-26T23:16:46Z Furon 2477 /* Remote Debugging and Control Protocol */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {| class="wikitable" ! 4039+ | <code>adminpw none</code> | MANAGE |} Clear the administrator password. {| class="wikitable" ! 4039+ | <code>adminpw passwd=QWORD</code> | MANAGE |} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {| class="wikitable" ! 3944+ | <code>getfile name=STRING</code> |} Retrieve the entire contents of the named file. {| class="wikitable" ! 4531+ | <code>getfile name=STRING offset=DWORD size=DWORD</code> |} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 64a4b03c45fe14e2d0e16449dc7c6e4375c04952 6 3758 5486 2017-05-27T01:23:05Z Furon 2477 Icon made by [http://www.flaticon.com/authors/dinosoftlabs DinosoftLabs] from www.flaticon.com wikitext text/x-wiki Icon made by [http://www.flaticon.com/authors/dinosoftlabs DinosoftLabs] from www.flaticon.com 31d511f8167b52dab196a4e889ba3b584fecf89b 10 3759 5487 2017-05-27T01:30:22Z Furon 2477 Created page with "{| class="wikitable" ! {{{version|3944+}}} | <code>{{{text}}}</code> | [[File:Padlock.png]] {{{privs|-}}} |}" wikitext text/x-wiki {| class="wikitable" ! {{{version|3944+}}} | <code>{{{text}}}</code> | [[File:Padlock.png]] {{{privs|-}}} |} 1d2c3751c2c9ad1080f6551c428b0bc6a90d6735 0 3689 5488 5485 2017-05-27T01:34:36Z Furon 2477 /* Commands */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {{XBDM command|version=4039+|text=adminpw none|privs=manage}} Clear the administrator password. {{XBDM command|version=4039+|text=adminpw passwd=QWORD|privs=manage}} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {{XBDM command|text=getfile name=STRING}} Retrieve the entire contents of the named file. {{XBDM command|text=getfile name=STRING offset=DWORD size=DWORD}} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. e78fe4e93ed3bc56fc061860a2c247dda245235a 5493 5488 2017-05-27T23:01:02Z JayFoxRox 2 /* External Links */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {{XBDM command|version=4039+|text=adminpw none|privs=manage}} Clear the administrator password. {{XBDM command|version=4039+|text=adminpw passwd=QWORD|privs=manage}} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {{XBDM command|text=getfile name=STRING}} Retrieve the entire contents of the named file. {{XBDM command|text=getfile name=STRING offset=DWORD size=DWORD}} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 12f9cec4df2c6937e0fa2cc68720a20fcdde733f 0 3703 5489 5463 2017-05-27T12:08:59Z JayFoxRox 2 Added Chihiro support info wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |{{Yes}} |[[XQEMU]] | |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |HLE |{{No}} |[[Cxbx-Reloaded]] | |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |Unknown |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |Dead |Unknown |{{No}} |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |Unknown |{{No}} |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 5e253784da2e374775d90792ab7c42388c8a9fdb 1 3760 5490 2017-05-27T17:44:32Z JayFoxRox 2 /* Move data from cxbx */ new section wikitext text/x-wiki == Move data from cxbx == https://github.com/Echelon9/cxbx-shogun/blob/master/src/CxbxKrnl/EmuD3D8/PixelShader.cpp#L467 uses the nvidia names a711fd212c6c0c461745e5637a6316b7d4be10d8 0 3748 5491 5452 2017-05-27T20:10:12Z JayFoxRox 2 /* Revisions */ wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. It is connected via I²C and located on address 0x10. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 * P2L{{citation needed}} * D01 (Seen in a debug kit) d41636351ff786ef831e6fb48f19c7d0513621cc 0 1 5492 5477 2017-05-27T22:15:21Z Furon 2477 /* Development Kits and Tools */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[Power Supply]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] b582591ec925617b123d0b2d31fab7cf025681ef 5495 5492 2017-05-28T13:28:05Z JayFoxRox 2 /* System Software */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[Power Supply]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[Memory]] * [[MCPX]] * [[DVD Drive]] * [[Hard Drive]] * [[USB]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[Xbox Game Disc]] * [[Xbox Input Devices]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[NVNet|Network Controller (NVNet)]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] 690f077eaa5a17961ad627310cba78bff1d7d009 5500 5495 2017-05-28T14:00:23Z JayFoxRox 2 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] 000ee333b054a59e21ca1e53a62b9ab07853e4cf 0 3690 5494 5087 2017-05-27T23:01:13Z JayFoxRox 2 wikitext text/x-wiki '''Xbox Neighborhood''' is a Windows shell extension that provides the ability to manage files on Xbox Development Kits in Windows Explorer. ==External Links== * [https://bitbucket.org/remnantmods/yelo-neighborhood/ Yelo Neighborhood] – An open-source re-implementation of [[Xbox Neighborhood]] written in C#. d0f834d6791f2504a1543c8b8b5aba93dd07149f 0 3672 5496 5236 2017-05-28T13:28:40Z JayFoxRox 2 /* References */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile TSOP ROM chip and connected to the MCPX via the LPC bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] a4f64ef7cbaba259dfe42ef4b015e252cc2758e6 5501 5496 2017-05-28T15:06:51Z Furon 2477 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the MCPX via the <abbr title="Low Pin Count">LPC</abbr> bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 8d4944c5a003d1a8f6ff9d6690bf7b0944f2ae21 5502 5501 2017-05-28T15:07:41Z Furon 2477 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored on a 1MB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the [[MCPX]] via the <abbr title="Low Pin Count">LPC</abbr> bus. The image is actually 256KB, duplicated 4 times to fill the 1MB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 5d5bd091c3090cf44e37ee122aa084dd72a4142f 5507 5502 2017-05-28T16:05:36Z JayFoxRox 2 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me. === xcodes === From 0x00000080 - Copyright string These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). See the table above for the start positions. === Kernel === Still need to analyse === Kernel Data Segment === Still need to analyse === 2BL === Still need to analyse === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 89f4b7da0ec4d3b3b708f0af5e81110fa16cd020 0 3683 5497 5079 2017-05-28T13:29:52Z JayFoxRox 2 JayFoxRox moved page [[MCPX HLE]] to [[Boot Process]] wikitext text/x-wiki If we wish to HLE the MCPX, then there are certain things that can be ignored, for example, getting the CPU to 32 bit protected mode and enabling caching. == Xcodes == The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> == RC4 Decryption of the 2BL == Decryption of the 2BL seems to happen in 4 stages. === Stage 1 === Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> === Stage 2 === Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> === Stage 3 === Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> === Stage 4 === Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 0366549ca0d66134fcb692655de9144004b88f06 5499 5497 2017-05-28T13:35:54Z JayFoxRox 2 wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === GDT setup === === Paging === === Kernel decryption === == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 398afe96807225e1d784885491a43b94004740f3 5503 5499 2017-05-28T15:08:51Z JayFoxRox 2 /* 2BL */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === The MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} === GDT setup === === Paging === === Kernel decryption === == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 2864973bc0d65454acf6de61dbc2a01687575ba7 5504 5503 2017-05-28T15:11:06Z JayFoxRox 2 /* MTRR Setup */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === GDT setup === === Paging === === Kernel decryption === == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) e79374a833171730c1dc37fa9d57cbae8db8b0bf 5505 5504 2017-05-28T15:17:58Z JayFoxRox 2 /* 2BL */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the BIOS will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x80400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === GDT setup === === Paging === === Kernel decryption === == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) d468351e7b5da9b2710b9d651845ace351fdd866 5506 5505 2017-05-28T15:58:41Z JayFoxRox 2 /* 2BL */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x90000. It is 24K in size. <pre> void decrypt() { uint32_t stack_pointer = 0x8f000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x90000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} == Self-copy == Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000{{FIXME}}: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |} Once the PDE is set up, it is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The Kernel is decrypted in-place. The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 33ac5a6fed2017ee2fce3bea2b5f1ae71dd6e1ef 5509 5506 2017-05-28T16:55:34Z JayFoxRox 2 /* Stage 3 */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} == Self-copy == Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000{{FIXME}}: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |} Once the PDE is set up, it is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The Kernel is decrypted in-place. The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) e6236625f173081e1d7b126ad9f6dbf1f4bd56b2 5511 5509 2017-05-28T17:05:27Z JayFoxRox 2 /* Kernel decryption */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} == Self-copy == Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000{{FIXME}}: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |} Once the PDE is set up, it is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 99290e1f2fc8e419b35179a1fea846aa40e501bd 5514 5511 2017-05-28T19:21:30Z JayFoxRox 2 /* Self-copy */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000{{FIXME}}: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |} Once the PDE is set up, it is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 6daf7603da571a3221e6fd944b5b372073525855 5515 5514 2017-05-28T19:49:20Z JayFoxRox 2 Added PDEs, still wip wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000{{FIXME}}: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity mapping of first 256MiB: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Clearing the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |} Once the PDE is set up, it is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 84819315908940c86afa3fe9797725bc92a3d164 5516 5515 2017-05-28T20:13:16Z JayFoxRox 2 PD should be complete wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity mapping of first 256MiB: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Clearing the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Maps the upper portion of the Flash (4 MiB page) to address 0xC0000000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 76cc1cde964c0321f86648158b2644b9c5598ae9 5517 5516 2017-05-28T20:14:36Z JayFoxRox 2 /* Paging */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Clearing the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 4640b0a177b5ff17243dfd4aec7fe9b2cb6a4ab4 5518 5517 2017-05-28T20:15:23Z JayFoxRox 2 /* Paging */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from {{FIXME}} to {{FIXME}}. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 14931154f9071efc5225b340010d7f009a7ed2c8 5519 5518 2017-05-28T20:21:40Z JayFoxRox 2 /* Memory cleanup */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 409129756f95df65f6245edb1e6d580f12ceeee9 5520 5519 2017-05-28T20:22:24Z JayFoxRox 2 /* Self-copy */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Writes 0xCC repeatedly from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 9b3a27a817c484b1c685540d780077e83b9383f6 5521 5520 2017-05-28T20:23:39Z JayFoxRox 2 /* Memory cleanup */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. esp is now also reloaded to point at the higher mapping. It will be set to 0x80400000 (absolute value, independent of previous esp value). === Disabling of the MCPX ROM === === SMC Watchdog handling === === Memory cleanup === Fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. === Weird stuff 1{{FIXME}} === === Weird stuff 2{{FIXME}} === === Weird stuff 3{{FIXME}} === === Loading the kernel === ==== Kernel-copy ==== The Kernel is now copied into RAM. ==== Kernel decryption ==== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ==== Kernel decompression ==== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. === Running the kernel === The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 6097cc7b16e2b96e05804164947a9f9c26b7ffbf 5522 5521 2017-05-28T20:37:21Z JayFoxRox 2 /* 2BL */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x8000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Weird stuff 0{{FIXME}} ==== ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Weird stuff 1{{FIXME}} ==== ==== Weird stuff 2{{FIXME}} ==== ==== Weird stuff 3{{FIXME}} ==== ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) f551b74ed0815cd3ac26e83c99efb8e3eb2d09f1 5523 5522 2017-05-28T23:17:28Z JayFoxRox 2 /* Paging */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Weird stuff 0{{FIXME}} ==== ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Weird stuff 1{{FIXME}} ==== ==== Weird stuff 2{{FIXME}} ==== ==== Weird stuff 3{{FIXME}} ==== ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decrytpion key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) fe4f22c2c20dd1860151d0b8dc5395c31f9f37f8 5524 5523 2017-05-29T09:03:37Z Eighthpence 2472 /* Kernel decryption */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Weird stuff 0{{FIXME}} ==== ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Weird stuff 1{{FIXME}} ==== ==== Weird stuff 2{{FIXME}} ==== ==== Weird stuff 3{{FIXME}} ==== ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 0201155d6b91141c9e4cd4a8ee6c9f2d48326956 5525 5524 2017-05-29T09:31:58Z JayFoxRox 2 /* Weird stuff 2{{FIXME}} */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Weird stuff 0{{FIXME}} ==== ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Weird stuff 1{{FIXME}} ==== ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3{{FIXME}} ==== ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 189eb3bda34ca225aac4fafa7f6322c394bbd4ba 5526 5525 2017-05-29T09:44:39Z JayFoxRox 2 /* Weird stuff 1{{FIXME}} */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Weird stuff 0{{FIXME}} ==== ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using Hynix RAM instead of Samsung RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3{{FIXME}} ==== ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 4bc34a92075efd49e64098189b793ff9ea70e9e9 5527 5526 2017-05-29T09:49:40Z JayFoxRox 2 /* Setup RAM timing */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Weird stuff 0{{FIXME}} ==== ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3{{FIXME}} ==== ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 4f2d5f760177041bda1a429d310a1b7aead13860 5530 5527 2017-05-29T10:33:44Z JayFoxRox 2 /* Weird stuff 3{{FIXME}} */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Weird stuff 0{{FIXME}} ==== ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) a9ace67ece36520f430e03f7967989528d4b2de4 5531 5530 2017-05-29T10:45:29Z JayFoxRox 2 Straight from cromwell :) wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 5055e22ee325a67e9f1b9ed115b6ffd8b8216348 5535 5531 2017-05-29T11:35:03Z JayFoxRox 2 /* Disabling of the MCPX ROM */ wikitext text/x-wiki == Overview == == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) e6f1b4d1b0ee7090603b12412b724c7112eb2da6 0 3761 5498 2017-05-28T13:29:52Z JayFoxRox 2 JayFoxRox moved page [[MCPX HLE]] to [[Boot Process]] wikitext text/x-wiki #REDIRECT [[Boot Process]] ce2d848bf8efe60922866b02e38dc1d9a09db509 0 3762 5508 2017-05-28T16:06:14Z JayFoxRox 2 Created page with "The Flash is a 1MiB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the [[MCPX]] via the <abbr title="Low Pin Count">LPC</abbr> bus..." wikitext text/x-wiki The Flash is a 1MiB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the [[MCPX]] via the <abbr title="Low Pin Count">LPC</abbr> bus. It usually stores the [[BIOS]]. 13dfc1cb5ca6a3afd88f5a5e135e6a77c70ea32d 0 3670 5510 5420 2017-05-28T16:58:54Z JayFoxRox 2 /* Dumping the MCPX ROM */ wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. For 1.1 Microsoft switched to a TEA algorithm. The code on the chips is largely the same, but for those two differences{{citation needed}}. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[Exploits#MCPX|MCPX exploits]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. From what I can tell, Microsoft implemented a TEA algorithm to create a hash of a particular section of the BIOS (many times), and if that was correct, it would jump to 0xffffd600. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xqemu-tools/blob/master/disassemble-mcpx.sh disassemble-mcpx.sh: A bash-script to disassemble/annotate MCPX 1.0 dumps] f60d3dd1cf9686b6999061482e5c5ef637891216 0 8 5512 5417 2017-05-28T18:55:27Z JayFoxRox 2 D3D portion stolen from Cxbx wikitext text/x-wiki The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texturing modes == {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} Also known from nvidia docs: * texm3x3pad [stage 1, stage 2] * texm3x3spec [stage 3] * texm3x3vspec [stage 3] * texm3x3tex [stage 3] == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf 115d6e5485313f1849ac90dc9dfeb64227ceefe7 5513 5512 2017-05-28T18:55:43Z JayFoxRox 2 /* Texturing modes */ wikitext text/x-wiki The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texturing modes == {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf 64b3eef603e0e14a99ad04abbbb96b4310c8d4e5 0 3669 5528 5484 2017-05-29T09:50:23Z JayFoxRox 2 /* 1.6 */ wikitext text/x-wiki There are 7 Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [[Video Encoder]] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * BIOS no longer flashable * Removed data and power lines from LPC port * Xcalibur video chip * Xyclops chip Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN TWWFF L is the production line NNNNNN is the number produced that week Y is the last digit of the production year WW is the number of the week FF is the factory code Note, this table contradicts the previous table. {| ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} {| ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] c4aa4471dabf8ebeb443ea6af7ab7121bdc179a8 5529 5528 2017-05-29T09:50:59Z JayFoxRox 2 /* 1.5 */ wikitext text/x-wiki There are 7 Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [[Video Encoder]] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * BIOS no longer flashable * Removed data and power lines from LPC port * Xcalibur video chip * Xyclops chip Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN TWWFF L is the production line NNNNNN is the number produced that week Y is the last digit of the production year WW is the number of the week FF is the factory code Note, this table contradicts the previous table. {| ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} {| ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 6725504cd9b7cbd9157ecbc8e00f9bc85807d1df 0 3752 5532 5459 2017-05-29T11:16:13Z Espes 2484 wikitext text/x-wiki == Also see == * [https://github.com/mamedev/mame/blob/master/src/mame/drivers/chihiro.cpp Chihiro MAME driver] * [http://segaretro.org/Sega_Chihiro Chihiro information at Sega Retro] * [https://github.com/JayFoxRox/Chihiro-Tools Set of tools to extract MAME Chihiro dumps] * [https://github.com/JayFoxRox/Chihiro-Launcher A tool to load some Chihiro games on the original Xbox] ae0bc266d5dc5d6ef637b4b1b90de5cd35b4ae50 0 3763 5533 2017-05-29T11:27:19Z Espes 2484 Created page with " by Michael Steil (original version: 1 May 2002, updated 26 September 2002) == Seagate (10 GB) == === Harddisk information as reported by hdparm -i === <pre>Model=ST31021..." wikitext text/x-wiki by Michael Steil (original version: 1 May 2002, updated 26 September 2002) == Seagate (10 GB) == === Harddisk information as reported by hdparm -i === <pre>Model=ST310211A, FwRev=6.55, SerialNo=6DB2WQW2 Config={ HardSect NotMFM HdSw&gt;15uSec Fixed DTR&gt;10Mbs RotSpdTol&gt;.5% } RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=0 BuffType=unknown, BuffSize=512kB, MaxMultSect=16, MultSect=16 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=19541088 IORDY=on/off, tPIO={min:240,w/IORDY:120}, tDMA={min:120,rec:120} PIO modes: pio0 pio1 pio2 pio3 pio4 DMA modes: mdma0 mdma1 mdma2 udma0 udma1 *udma2 AdvancedPM=no WriteCache=enabled Drive Supports : Reserved : ATA-1 ATA-2 ATA-3 ATA-4 </pre> === Detailed information as reported by hdparm -I === <pre>non-removable ATA device, with non-removable media Model Number: ST310211A Serial Number: 6DB2WQW2 Firmware Revision: 6.55 Standards: Supported: 1 2 3 4 Likely used: 5 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 bytes/track: 0 (obsolete) bytes/sector: 0 (obsolete) current sector capacity: 16514064 LBA user addressable sectors = 19541088 Capabilities: LBA, IORDY(can be disabled) Buffer size: 512.0kB Queue depth: 1 Standby timer values: spec'd by standard r/w multiple sector transfer: Max = 16 Current = 16 DMA: mdma0 mdma1 mdma2 udma0 udma1 *udma2 udma3 udma4 udma5 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=240ns IORDY flow control=120ns Commands/features: Enabled Supported: * READ BUFFER cmd * WRITE BUFFER cmd * Host Protected Area feature set * look-ahead * write cache * Power Management feature set * Security Mode feature set SMART feature set SET MAX security extension * DOWNLOAD MICROCODE cmd Security: supported enabled not locked not frozen not expired: security count not supported: enhanced erase Security level high HW reset results: CBLID- below Vih Device num = 1 Checksum: correct </pre> === Hard disk performance measured by hdparm -t === <pre>Timing buffered disk reads: 64 MB in 3.51 seconds = 18.23 MB/sec Timing buffer-cache reads: 128 MB in 0.85 seconds =150.59 MB/sec </pre> == Western Digital (8 GB) == === Harddisk information as reported by hdparm -i === <pre>Model=WDC WD80EB-28CGH1, FwRev=24.84G24, SerialNo=*************** Config={ HardSect NotMFM HdSw&gt;15uSec SpinMotCtl Fixed DTR&gt;5Mbs FmtGapReq } RawCHS=15509/16/63, TrkSize=57600, SectSize=600, ECCbytes=40 BuffType=DualPortCache, BuffSize=768kB, MaxMultSect=16, MultSect=off CurCHS=15509/16/63, CurSects=15633072, LBA=yes, LBAsects=15633072 IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120} PIO modes: pio0 pio1 pio2 pio3 pio4 DMA modes: mdma0 mdma1 *mdma2 UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 AdvancedPM=no WriteCache=enabled Drive conforms to: device does not report version: 1 2 3 4 5 </pre> === Detailed information as reported by hdparm -I === <pre>ATA device, with non-removable media Model Number: WDC WD80EB-28CGH1 Serial Number: *************** Firmware Revision: 24.84G24 Standards: Supported: 5 4 3 2 Likely used: 6 Configuration: Logical max current cylinders 15509 15509 heads 16 16 sectors/track 63 63 -- CHS current addressable sectors: 15633072 LBA user addressable sectors: 15633072 device size with M = 1024*1024: 7633 MBytes device size with M = 1000*1000: 8004 MBytes (8 GB) Capabilities: LBA, IORDY(can be disabled) bytes avail on r/w long: 40 Queue depth: 1 Standby timer values: spec'd by Standard, with device specific minimum R/W multiple sector transfer: Max = 16 Current = 0 Recommended acoustic management value: 128, current value: 254 DMA: mdma0 mdma1 *mdma2 udma0 udma1 udma2 udma3 udma4 udma5 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * READ BUFFER cmd * WRITE BUFFER cmd * Host Protected Area feature set * Look-ahead * Write cache * Power Management feature set * Security Mode feature set * SMART feature set Automatic Acoustic Management feature set SET MAX security extension * DOWNLOAD MICROCODE cmd Security: supported enabled not locked not frozen not expired: security count not supported: enhanced erase Security level high HW reset results: CBLID- above Vih Device num = 0 determined by CSEL Checksum: correct </pre> === Hard disk performance measured by hdparm -t === <pre>Timing buffered disk reads: 64 MB in 6.58 seconds = 9.73 MB/sec Timing buffer-cache reads: 128 MB in 3.28 seconds = 39.02 MB/sec </pre> Retrieved from [http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Technical_Details] 7a590191c29e3ea7918d1db6d0f78c5eaa7f7ca5 0 3764 5534 2017-05-29T11:32:42Z Espes 2484 Created page with "Retrieved from [http://www.xbox-linux.org/wiki/Porting_an_Operating_System_to_the_Xbox_HOWTO] == Differences == The Xbox hardware consists of standard components, like a P..." wikitext text/x-wiki Retrieved from [http://www.xbox-linux.org/wiki/Porting_an_Operating_System_to_the_Xbox_HOWTO] == Differences == The Xbox hardware consists of standard components, like a Pentium III Celeron CPU, an nForce chipset and IDE DVD and hard disk drives. Still there are a few differences, some of which would make an unmodified operating system crash. === Chipset === The Xbox chipset is basically an nVidia nForce 420, but with a GeForce "NV2A" integrated (instead of a GeForce2 MX), and with an Intel instead of an AMD CPU. Here is the output of "lspci" on a PC nForce: <pre>00:00.0 Host bridge: nVidia Corporation nForce CPU bridge (rev b2) 00:00.1 RAM memory: nVidia Corporation nForce 220/420 Memory Controller (rev b2) 00:00.2 RAM memory: nVidia Corporation nForce 220/420 Memory Controller (rev b2) 00:00.3 RAM memory: nVidia Corporation nForce 420 Memory Controller (DDR) (rev b2) 00:01.0 ISA bridge: nVidia Corporation nForce ISA Bridge (rev c3) 00:01.1 SMBus: nVidia Corporation nForce PCI System Management (rev c1) 00:02.0 USB Controller: nVidia Corporation nForce USB Controller (rev c3) 00:03.0 USB Controller: nVidia Corporation nForce USB Controller (rev c3) 00:04.0 Ethernet controller: nVidia Corporation nForce Ethernet Controller (rev d2) 00:05.0 Multimedia audio controller: nVidia Corporation: Unknown device 01b0 (rev c2) 00:06.0 Multimedia audio controller: nVidia Corporation nForce Audio (rev c2) 00:08.0 PCI bridge: nVidia Corporation nForce PCI-to-PCI bridge (rev c2) 00:09.0 IDE interface: nVidia Corporation nForce IDE (rev c3) 00:1e.0 PCI bridge: nVidia Corporation nForce AGP to PCI Bridge (rev b2) 02:00.0 VGA compatible controller: nVidia Corporation NVCrush11 [GeForce2 MX Integrated Graphics] (rev b1) </pre> On the Xbox, the output looks like this: <pre>00:00.0 Host bridge: nVidia Corporation: Unknown device 02a5 (rev a1) 00:00.3 RAM memory: nVidia Corporation: Unknown device 02a6 (rev a1) 00:01.0 ISA bridge: nVidia Corporation nForce ISA Bridge (rev d4) 00:01.1 SMBus: nVidia Corporation nForce PCI System Management (rev d1) 00:02.0 USB Controller: nVidia Corporation nForce USB Controller (rev d4) 00:03.0 USB Controller: nVidia Corporation nForce USB Controller (rev d4) 00:04.0 Ethernet controller: nVidia Corporation nForce Ethernet Controller (rev d2) 00:05.0 Multimedia audio controller: nVidia Corporation: Unknown device 01b0 (rev d2) 00:06.0 Multimedia audio controller: nVidia Corporation nForce Audio (rev d2) 00:06.1 Modem: nVidia Corporation Intel 537 [nForce MC97 Modem] (rev d1) 00:08.0 PCI bridge: nVidia Corporation nForce PCI-to-PCI bridge (rev d2) 00:09.0 IDE interface: nVidia Corporation nForce IDE (rev d4) 00:1e.0 PCI bridge: nVidia Corporation nForce AGP to PCI Bridge (rev a1) 01:00.0 VGA compatible controller: nVidia Corporation: Unknown device 02a0 (rev a1) </pre> PCI bus 0 is almost identical, except for the Xbox only having a single memory controller. Bus 1 on the PC contains all PCI cards. Since the Xbox does not support PCI cards, the AGP bus on the Xbox is bus 1 instead of bus 2. ==== PCI Enumeration Bug ==== These two differences between the PC and the Xbox version of the nForce chipset have introduced three bugs into the chipset that all have to do with PCI enumeration: * The nonexistent memory controllers at 0:0.1 and 0:0.2 are completely broken: If you try to probe them, i.e. read out their PCI IDs, the Xbox freezes. * There are ghost devices on bus 1, after the video controller (1:0.0). You get garbage if you try to probe them. * The same is true for the complete bus 2. So if your operating system scans the PCI bus in order to find out what drivers need to be loaded for the PCI devices, do not touch 0:0.1 and 0:0.2. The easiest fix would be to start the PCI enumeration with 0:1.0, as the first few devices need no driver anyway, but the following code, taken from the Xbox Linux kernel, handles this better and also hides the ghost devices: <pre>if (mach_pci_is_blacklisted(bus, PCI_SLOT(devfn), PCI_FUNC(devfn))) return -EINVAL; static inline int mach_pci_is_blacklisted(int bus, int dev, int fn) { if(machine_is_xbox) { return (bus &gt; 1) || ((bus != 0) &amp;&amp; ((dev != 0) || (fn != 0))) || (!bus &amp;&amp; !dev &amp;&amp; ((fn == 1) || (fn == 2))); } } </pre> Note that some operating systems (or even some applications) repeat the PCI enumeration later: On Unix systems, the XFree86/X.org X Window servers for example do that, but this can be deactivated using a configuration parameter (or of course patched in the source code). ==== No Keyboard Controller ==== The Xbox is a legacy free PC, so it does not contain a so-called "Super-I/O Chip" which includes old ISA hardware such as * serial port * parallell port * floppy disk controller * keyboard controller In general, this should be no problem for any operating system; there is just one thing: Many operating systems (such as Linux up some 2.4.x version) assume that every PC has a keyboard controller (although this is not true for many embedded x86 as well as Itanium systems), and therefore statically allocate interrupt line 1 for the keyboard controller. The problem is that the original Xbox hardware initialization code (as well as Cromwell) put the first USB controller on interrupt 1, so if the operating system already has it allocated, the first USB controller will not work. On a 1.0 Xbox this means that no USB devices (including, ironically, a keyboard) will work, while on later boxes this only affects two of the four connectors. So make sure that your operating system checks for a keyboard controller and allocates no interrupt if it does not exist. The following code, taken from the Linux kernel, shows how to check for a keyboard controller: <pre>#define kbd_read_input() inb(KBD_DATA_REG) #define kbd_read_status() inb(KBD_STATUS_REG) if (kbd_read_status() == 0xff &amp;&amp; kbd_read_input() == 0xff) kbd_exists = 0; </pre> ==== Timer Frequency ==== The system timer inside the "8254 PIT" unit of the chipset on a PC has a base frequency of 1.193182 MHz. The number of task switches, the system clock and all timing for multimedia is usually based on the interrupts generated by the PIT unit. For some unknown reason, this base frequency is 1.125000 MHz on the Xbox, which is about 6% lower. If your operating system does not handle this difference, multimedia plays at the wrong speed and the system clock (if you have a software clock and do not use the hardware clock) will be incorrect quite quickly. So all you have to do is to search for the constant of 1193182 (sometimes it is 1193180) and replace it with code like this: <pre>timer_base = machine_is_xbox? 1125000 : 1193182; </pre> In case your operating system defines this as a constant, you have to change it into a variable and make sure it is assigned early enough. In this case, it should be a good idea to assign it as soon as you detect whether the machine is an Xbox. ==== Reboot and Poweroff ==== The Xbox chipset has no ACPI capabilities, so it is not possible to shut it down using the ACPI protocol. It is also not possible to reset the Xbox like a PC, because it lacks the keyboard controller which usually includes this feature. Both these functions are handled by the "System Management Controller" SMC (also called the "PIC"), which is a device on the SMBus. In order to communicate with a device on the SMBus, you need a driver for the Xbox SMBus controller, which is AMD754 compatible. Linux for example includes this driver. But there is no need to statically include a complete bus driver just for this simple function: The SMBus on the Xbox is simple enough to be controlled with just two small C functions. The following code is all you need: <pre>#define XBOX_SMB_IO_BASE 0xC000 #define XBOX_SMB_GLOBAL_ENABLE (0x2 + XBOX_SMB_IO_BASE) #define XBOX_SMB_HOST_ADDRESS (0x4 + XBOX_SMB_IO_BASE) #define XBOX_SMB_HOST_DATA (0x6 + XBOX_SMB_IO_BASE) #define XBOX_SMB_HOST_COMMAND (0x8 + XBOX_SMB_IO_BASE) #define XBOX_PIC_ADDRESS 0x10 #define SMC_CMD_POWER 0x02 #define SMC_SUBCMD_POWER_RESET 0x01 #define SMC_SUBCMD_POWER_CYCLE 0x40 #define SMC_SUBCMD_POWER_OFF 0x80 static void xbox_pic_cmd(u8 command) { outw_p(((XBOX_PIC_ADDRESS) &lt;&lt; 1), XBOX_SMB_HOST_ADDRESS); outb_p(SMC_CMD_POWER, XBOX_SMB_HOST_COMMAND); outw_p(command, XBOX_SMB_HOST_DATA); outw_p(inw(XBOX_SMB_IO_BASE), XBOX_SMB_IO_BASE); outb_p(0x0a, XBOX_SMB_GLOBAL_ENABLE); } void xbox_power_reset(char * __unused) { xbox_pic_cmd(SMC_SUBCMD_POWER_RESET); } void xbox_power_cycle(char * __unused) { xbox_pic_cmd(SMC_SUBCMD_POWER_CYCLE); } void xbox_power_off(void) { xbox_pic_cmd(SMC_SUBCMD_POWER_OFF); } </pre> ''xbox_power_reset'' just resets the system while ''xbox_power_cycle'' turns it off and turns it back on after half a second. Please note that the above SMBus code lacks error detection and should not be used in the general case. === DVD Driver === Although the DVD drives in the Xbox are basically standard IDE drives, there are some differences, some due to protection issues, and some because of bugs in their firmwares. ==== Reset on Eject ==== On the PlayStation, it was possible to trick the console into loading copies by inserting an original, having the CD checked and quickly replacing it with a copy. The designers of the Xbox made this trick impossible by having an additional security chip, the SMC, which resets the system if the user presses the eject button or even tries to manually eject the tray. But the system does not ''always'' reset in this case. In the Xbox Dashboard, for example, it is possible to open the tray. Every time the user presses the eject button or the tray opens (for example if the drive ejects on request of software), the PIC sends an EXTSMI# interrupt to the CPU. If the software running on the CPU handles this interrupt and sends back a message to the PIC, then the system will not be reset. The code in [[arch/i386/mach-xbox/reset-on-eject.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/arch/i386/mach-xbox/reset-on-eject.c?rev=1.2&amp;view=auto'') in the Xbox Linux kernel handles this. Again, you need SMBus code to talk to the SMC. ==== DVD Drive Bugs ==== Microsoft uses several different DVD drives in the Xbox, some of which have its compatibility problems: {| border="1" |- | '''drive string''' | '''problems''' |- | "THOMSON-DVD" | pretends it cannot play audio or dvds; does not understand the ATAPI eject command |- | "PHILIPS XBOX DVD DRIVE" | does not understand the ATAPI eject command |- | "PHILIPS J5 3235C" | pretends it cannot play audio or dvds |- | "SAMSUNG DVD-ROM SDG-605B" | no issues |} In addition, none of these drives respect door locking when the user presses the eject button. So if you do nothing, some drives won't respond to software eject commands, and some will refuse to play DVD or audio content, because the player software thinks the drive cannot do it. If you want to support all these DVD drives completely, you have to add some code to the ATAPI CD/DVD driver code in your operating system, which probably already includes some tests for other devices, because many CD/DVD drives report incorrect capabilities. The table above includes the exact string identifiers for these Xbox DVD drives, so you can easily check for them. If the drive does not understand the ATAPI eject command (as well as the load command), you have to issue an eject command to the SMC. The file [[include/linux/xbox.h]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/include/linux/xbox.h?rev=1.1&amp;view=auto'') includes the code you will need. The following two lines are taken from this file: <pre>#define Xbox_tray_load() Xbox_SMC_write(SMC_CMD_EJECT, SMC_SUBCMD_EJECT_LOAD); #define Xbox_tray_eject() Xbox_SMC_write(SMC_CMD_EJECT, SMC_SUBCMD_EJECT_EJECT); </pre> Please note that having an Xbox DVD drive installed does not necessarily mean that we are running on an Xbox. It is possible (although impractical, because of the incompatible power connectors) to use them in a standard PC. So if the drive does not understand the ATAPI eject command, and we are not running on an Xbox, there is no way to eject the tray, as the drive does not even have its own eject button - and you should of course not send SMC commands on the PC. The Linux implementation of this behaviour can be found in [[drivers/ide/ide-cd.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/drivers/ide/ide-cd.c?rev=1.13&amp;view=auto''). When detecting the drives, the driver notes in the drive's kernel structure whether it is an Xbox drive and whether it can eject, and corrects the incorrect capabilities. As the physical eject button, which is connected to the SMC, does not respect whether the tray is supposed to be locked, the driver simulates this in software. Locking/unlocking the door: <pre>if (xbox_drive &amp;&amp; machine_is_xbox) { simulated_lock = lock; } </pre> Ejecting/loading: <pre>if (machine_is_xbox &amp;&amp; xbox_drive &amp;&amp; cannot_eject) { if (load) { Xbox_tray_load(); } else { simulated_lock = 0; Xbox_tray_eject(); } return; } </pre> The reset-on-eject driver, which catches eject button presses, should then also respect the flag "simulated_lock" and not open the door if it is locked in software. Please also note that although certain capability flags of the Xbox drives are correct, software can still have a problem with them. An example on Unix is cdparanoia: If a CD drive has a headphone, then it assumes it must support playing audio CDs. This is logical. But cdparanoia assumes that if a drive has no headphone jack, it does not support audio CDs, but this is not true. All Xbox DVD drives can rip audio CDs, although they all have no headphone jack (and correctly report that). === Video Driver === Fully supporting the Xbox video hardware could mean a lot of work (or at least a lot of copying from the Xbox kernel). But there is no need to implement a complete video driver. Both bootloaders provided by the Xbox Linux project set up a 640x480 screen (32 bit colour, RGBX), which is useful for many setups. This linear framebuffer lies at the top of memory (around 60 MB) and can be used by your operating system without ever touching any video registers. This just works like the VESA modes supported by most operating systems, which get set up by the boot loader (using BIOS functions) and never get switched afterwards. Have a look at the bootloader section to learn how to find out where this framebuffer is located. If you want full support, you can reuse driver code for nVidia video hardware, as the Xbox video hardware is fully nVidia compatible. The problem is just that the Xbox does not have a VGA RAMDAC, but a PAL/NTSC video encoder (which is connected through the SMBus), so you always need to make sure when you set up a new mode that the video encoder is also correctly set up, or else you will get garbage on the screen. Unfortunately, there is one of three incompatible video encoders in every Xbox: The first Xboxes used Connexant chips (1.0 to 1.3), later ones used Focus components (1.4 and 1.5), and 1.6 Xboxes include an integrated Xcalibur unit. That is why you might have to copy a lot of code from the Xbox Linux kernel and have others with different Xboxes test your code. You can find all this code in [[drivers/video/xbox/*]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/drivers/video/xbox/''). === Hard Disk === The Xbox includes a standard 8 or 10 GB hard disk. For security reasons (the user should be unable to just connect it to a PC) they are locked with an ATA password, but as the firmware already unlocks it, you should not have to care about this, unless you send ATA reset commands to the drive - which you should avoid. Nevertheless, you might want your operating system to coexist with the Xbox system software, then you have to respect the existing partitioning and install it (probably as an image file) onto an existing partition. ==== Xbox Partitioning ==== The Xbox uses an implicit partitioning scheme, which is described in the articles [[Xbox Partitioning and Filesystem Details]] and [[Xbox Hard Disk Partitioning]]. In order to detect whether the hard drive is Xbox-partitioned, you have to check for the "BRFR" magic value, which must always be present. If this is too little evidence for you, you can also check for the "FATX" header in the "System Files" (C:) partition, but you should not assume any more FATX headers. You should also create a sixth partition for the space between 8 GB and 137 GB, and a seventh partition for the space above 137 GB in order to be compatible with patched Xbox kernels that work with larger hard disks. You might want to consider allowing two partitioning systems active at the same time: Xbox partitioning, which defines (at least) the lowermost 8 GB, and standard PC partitioning using a PC partition table (the first sector on the hard disk is unused). Therefore, in Xbox Linux, the Xbox partitions are assigned the numbers 50 to 56, while the Pc partitions start with 1. In Xbox Linux, this code is located in [[fs/partitions/check.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/fs/partitions/check.c?rev=1.9&amp;view=auto'') and [[fs/partitions/xbox.c xbox.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/fs/partitions/xbox.c?rev=1.7&amp;view=auto''). ==== FATX filesystem ==== On the hard disk, the Xbox exclusively uses the FATX filesystem, which is a simplified version of FAT16/FAT32. The articles [[Xbox Partitioning and Filesystem Details]] and [[Differences between Xbox FATX and MS-DOS FAT]] explain FATX in detail. === Peripherals === ==== Xbox Gamepad ==== The Xbox gamepad is a USB device with a proprietary protocol, which you can find in the Xbox Linux kernel in [[drivers/usb/input/xpad.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/drivers/usb/input/xpad.c?rev=1.5&amp;view=auto''). You might want to add emulation for mouse and/or keyboard as well. ==== Remote Control ==== The remote control is similar to the gamepad. Keyboard and mouse emulation may make sense for it as well. &lt;! --==== Xbox Live Headset ==== --&gt; === Other System Components === ==== USB ==== The Xbox has a standard OHCI host controller, which your operating system hopefully supports out of the box. ==== Ethernet ==== The Ethernet controller of the Xbox is an nForce "nvnet". The Linux driver [[forcedeth]] (''http://www.hailfinger.org/carldani/linux/patches/forcedeth/'') supports it completely. === Sensors === There are two temperature sensors on the Xbox (CPU and system). Standard Linux drivers support them. You can control the system fan using the SMC. See the Xbox Linux "tools" source code for details. 85ebfb90b7cb528d6c3cd87a46c9234ae62e189f 0 3765 5536 2017-05-29T12:13:54Z Espes 2484 Created page with "Retrieved from [http://www.xbox-linux.org/wiki/NForce] This documents collects information about the Xbox chipset and its sibling, the nVidia nForce chipset, as well as furt..." wikitext text/x-wiki Retrieved from [http://www.xbox-linux.org/wiki/NForce] This documents collects information about the Xbox chipset and its sibling, the nVidia nForce chipset, as well as further relatives. == nForce == The nForce chipset consists of the IGP (Integrated Graphics Processor) Northbridge and the MCP (Media and Communications Processor) Southbridge. Both are available in different flavours: * IGP-64: 64 bit memory bus * IGP-128: 128 bit memory bus (TwinBank), requires two DIMM modules for 128 bit operation * MCP-D: includes Dolby Digital encoder * MCP: Dolby Digital encoder disabled So these are the four possible combinations: {| class="wikitable" |- | | MCP | MCP-D |- | IGP-64 | nForce 220 | nForce 220D |- | IGP-128 | nForce 420 | nForce 420D |} [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/05/31/nvidia_crush_chipset_named_nforce/] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/06/01/nvidia_crush_is_called_nforce/] The VGA controller inside the IGP is a "GeForce2 MX Integrated Graphics" (PCI ID:10de/01a0). Its internal name is NV1A. [https://web.archive.org/web/20100617023830/http://pciids.sourceforge.net/iii/?i=10de] [https://web.archive.org/web/20100617023830/http://www.nvitalia.com/articoli/editoriali/produzione_nvidia_2001.htm] Although IGP-64 and IGP-128 are different and their respective chipsets have different codenames (Crush11 and Crush12, see below), there seems to be no difference from the software side: * The VGA BIOS of the MS-6367 mainboard (nForce 420D configuration, i.e. Crush12) has the internal name "CR11BT.ROM". It also includes the strings "NVIDIA GeForce2 Integrated GPU", "CR11 Board" and "Chip Rev B2". * The PCI IDs seem to be the same for the GPUs inside IGP-64 and IGP-128. == Crush == "Crush" was the codename of the nForce chipset. Crush11 is the nForce 220/220D/230/230-T, Crush12 is the nForce 420/420D/430/430-T, and Crush18 is the nForce2. The "11" probably derives from "NV11", the internal name of the GeForce2 MX. [https://web.archive.org/web/20100617023830/http://users.erols.com/chare/chipsets.htm] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2000/11/17/nvidias_super_secret_crush_spec/] == nForce &amp; Xbox == The Xbox has an IGP-128 that uses an NV2A video core (PCI ID:10de/02a5), which is between the GeForce3 (NV20) and the GeForce4 (NV25). The Southbridge is called "MCP-X" and lacks the PCI card bus (PCI bus #1). [https://web.archive.org/web/20100617023830/http://www.digit-life.com/articles/nvidianforce/] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/showdoc.html?i=1484] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=1535] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/systems/showdoc.aspx?i=1561&amp;p=3] == AMD Heritage == There is the following rumour, which is could not fully verify yet: * Microsoft wanted AMD to make the CPU and the chipset for the Xbox, and nVidia to make the video hardware. * When alpha hardware had already bee built, Intel made a better deal * Microsoft agreed to have Intel CPUs; Intel had to modify AMD's chipset to support an AMD CPU * Intel insisted that the brand name AMD could not be associated with the Xbox, so nVidia licensed the AMD chipset. Now the Xbox chipset was by nVidia. * nVidia sold the same chipset for PCs, calling it "nForce". This is the reason why * the Xbox is the only nForce chipset with an Intel CPU * the AMD chipset and the nForce chipset are so similar Evidence: * The AMD and nForce AMD IDE controllers are fully compatible. (Linux kernel: "AMD 755/756/766/8111 and nVidia nForce/2/2s/3/3s/CK804/MCP04 IDE driver for Linux." [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/ide/pci/amd74xx.c]) * The I2C/SMBus controller on the nForce is fully AMD-756/766/68 compatible. [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/i2c/busses/i2c-amd756.c] * The audio controller is i810 compatible - as is the audio controller of the AMD-768 and the AMD-8111. * The nForce and AMD-768 modems are compatible. * At least one register ("VGA_en") in the nForce PCI-to-AGP bridge is compatible with the AMD chipset (AMD-761, 24081.pdf, page 136). * The nForce uses HyperTransport. * [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0307.3/0922.html], [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0305.html] * ''"One man's guess, the silicon is not a major factor. Because the nForce and 760 MP have a similar pin count, they are going to be cost comparable."'' [https://web.archive.org/web/20100617023830/http://overclockers.com/articles446/] {| class="wikitable" |- | | Northbridge | Southbridge |- | AMD-760 | AMD-761 | AMD-766 |- | AMD-760MP | AMD-762 | AMD-766 |- | AMD-760MPX | AMD-762 | AMD-768 |} [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_1133,00.html AMD-760™ Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_739_1130,00.html AMD-760™ MP Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_4296,00.html AMD-760™ MPX Chipset Tech Docs] <br /> The nForce chipset might be based on the AMD-760 chipset. == More Links == [https://web.archive.org/web/20100617023830/http://www.duxcw.com/digest/guides/mb_chip/nforce/print.htm] 25633d01b1a99888852df2097931eb195e31a706 5585 5536 2017-05-31T08:42:55Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/NForce}} This documents collects information about the Xbox chipset and its sibling, the nVidia nForce chipset, as well as further relatives. == nForce == The nForce chipset consists of the IGP (Integrated Graphics Processor) Northbridge and the MCP (Media and Communications Processor) Southbridge. Both are available in different flavours: * IGP-64: 64 bit memory bus * IGP-128: 128 bit memory bus (TwinBank), requires two DIMM modules for 128 bit operation * MCP-D: includes Dolby Digital encoder * MCP: Dolby Digital encoder disabled So these are the four possible combinations: {| class="wikitable" |- | | MCP | MCP-D |- | IGP-64 | nForce 220 | nForce 220D |- | IGP-128 | nForce 420 | nForce 420D |} [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/05/31/nvidia_crush_chipset_named_nforce/] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/06/01/nvidia_crush_is_called_nforce/] The VGA controller inside the IGP is a "GeForce2 MX Integrated Graphics" (PCI ID:10de/01a0). Its internal name is NV1A. [https://web.archive.org/web/20100617023830/http://pciids.sourceforge.net/iii/?i=10de] [https://web.archive.org/web/20100617023830/http://www.nvitalia.com/articoli/editoriali/produzione_nvidia_2001.htm] Although IGP-64 and IGP-128 are different and their respective chipsets have different codenames (Crush11 and Crush12, see below), there seems to be no difference from the software side: * The VGA BIOS of the MS-6367 mainboard (nForce 420D configuration, i.e. Crush12) has the internal name "CR11BT.ROM". It also includes the strings "NVIDIA GeForce2 Integrated GPU", "CR11 Board" and "Chip Rev B2". * The PCI IDs seem to be the same for the GPUs inside IGP-64 and IGP-128. == Crush == "Crush" was the codename of the nForce chipset. Crush11 is the nForce 220/220D/230/230-T, Crush12 is the nForce 420/420D/430/430-T, and Crush18 is the nForce2. The "11" probably derives from "NV11", the internal name of the GeForce2 MX. [https://web.archive.org/web/20100617023830/http://users.erols.com/chare/chipsets.htm] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2000/11/17/nvidias_super_secret_crush_spec/] == nForce &amp; Xbox == The Xbox has an IGP-128 that uses an NV2A video core (PCI ID:10de/02a5), which is between the GeForce3 (NV20) and the GeForce4 (NV25). The Southbridge is called "MCP-X" and lacks the PCI card bus (PCI bus #1). [https://web.archive.org/web/20100617023830/http://www.digit-life.com/articles/nvidianforce/] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/showdoc.html?i=1484] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=1535] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/systems/showdoc.aspx?i=1561&amp;p=3] == AMD Heritage == There is the following rumour, which is could not fully verify yet: * Microsoft wanted AMD to make the CPU and the chipset for the Xbox, and nVidia to make the video hardware. * When alpha hardware had already bee built, Intel made a better deal * Microsoft agreed to have Intel CPUs; Intel had to modify AMD's chipset to support an AMD CPU * Intel insisted that the brand name AMD could not be associated with the Xbox, so nVidia licensed the AMD chipset. Now the Xbox chipset was by nVidia. * nVidia sold the same chipset for PCs, calling it "nForce". This is the reason why * the Xbox is the only nForce chipset with an Intel CPU * the AMD chipset and the nForce chipset are so similar Evidence: * The AMD and nForce AMD IDE controllers are fully compatible. (Linux kernel: "AMD 755/756/766/8111 and nVidia nForce/2/2s/3/3s/CK804/MCP04 IDE driver for Linux." [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/ide/pci/amd74xx.c]) * The I2C/SMBus controller on the nForce is fully AMD-756/766/68 compatible. [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/i2c/busses/i2c-amd756.c] * The audio controller is i810 compatible - as is the audio controller of the AMD-768 and the AMD-8111. * The nForce and AMD-768 modems are compatible. * At least one register ("VGA_en") in the nForce PCI-to-AGP bridge is compatible with the AMD chipset (AMD-761, 24081.pdf, page 136). * The nForce uses HyperTransport. * [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0307.3/0922.html], [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0305.html] * ''"One man's guess, the silicon is not a major factor. Because the nForce and 760 MP have a similar pin count, they are going to be cost comparable."'' [https://web.archive.org/web/20100617023830/http://overclockers.com/articles446/] {| class="wikitable" |- | | Northbridge | Southbridge |- | AMD-760 | AMD-761 | AMD-766 |- | AMD-760MP | AMD-762 | AMD-766 |- | AMD-760MPX | AMD-762 | AMD-768 |} [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_1133,00.html AMD-760™ Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_739_1130,00.html AMD-760™ MP Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_4296,00.html AMD-760™ MPX Chipset Tech Docs] <br /> The nForce chipset might be based on the AMD-760 chipset. == More Links == [https://web.archive.org/web/20100617023830/http://www.duxcw.com/digest/guides/mb_chip/nforce/print.htm] c16fb1d9b05b47eb0a887d2ababd7243d962943f 0 3763 5537 5533 2017-05-29T12:14:44Z Espes 2484 wikitext text/x-wiki Retrieved from [http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Technical_Details] by Michael Steil (original version: 1 May 2002, updated 26 September 2002) == Seagate (10 GB) == === Harddisk information as reported by hdparm -i === <pre>Model=ST310211A, FwRev=6.55, SerialNo=6DB2WQW2 Config={ HardSect NotMFM HdSw&gt;15uSec Fixed DTR&gt;10Mbs RotSpdTol&gt;.5% } RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=0 BuffType=unknown, BuffSize=512kB, MaxMultSect=16, MultSect=16 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=19541088 IORDY=on/off, tPIO={min:240,w/IORDY:120}, tDMA={min:120,rec:120} PIO modes: pio0 pio1 pio2 pio3 pio4 DMA modes: mdma0 mdma1 mdma2 udma0 udma1 *udma2 AdvancedPM=no WriteCache=enabled Drive Supports : Reserved : ATA-1 ATA-2 ATA-3 ATA-4 </pre> === Detailed information as reported by hdparm -I === <pre>non-removable ATA device, with non-removable media Model Number: ST310211A Serial Number: 6DB2WQW2 Firmware Revision: 6.55 Standards: Supported: 1 2 3 4 Likely used: 5 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 bytes/track: 0 (obsolete) bytes/sector: 0 (obsolete) current sector capacity: 16514064 LBA user addressable sectors = 19541088 Capabilities: LBA, IORDY(can be disabled) Buffer size: 512.0kB Queue depth: 1 Standby timer values: spec'd by standard r/w multiple sector transfer: Max = 16 Current = 16 DMA: mdma0 mdma1 mdma2 udma0 udma1 *udma2 udma3 udma4 udma5 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=240ns IORDY flow control=120ns Commands/features: Enabled Supported: * READ BUFFER cmd * WRITE BUFFER cmd * Host Protected Area feature set * look-ahead * write cache * Power Management feature set * Security Mode feature set SMART feature set SET MAX security extension * DOWNLOAD MICROCODE cmd Security: supported enabled not locked not frozen not expired: security count not supported: enhanced erase Security level high HW reset results: CBLID- below Vih Device num = 1 Checksum: correct </pre> === Hard disk performance measured by hdparm -t === <pre>Timing buffered disk reads: 64 MB in 3.51 seconds = 18.23 MB/sec Timing buffer-cache reads: 128 MB in 0.85 seconds =150.59 MB/sec </pre> == Western Digital (8 GB) == === Harddisk information as reported by hdparm -i === <pre>Model=WDC WD80EB-28CGH1, FwRev=24.84G24, SerialNo=*************** Config={ HardSect NotMFM HdSw&gt;15uSec SpinMotCtl Fixed DTR&gt;5Mbs FmtGapReq } RawCHS=15509/16/63, TrkSize=57600, SectSize=600, ECCbytes=40 BuffType=DualPortCache, BuffSize=768kB, MaxMultSect=16, MultSect=off CurCHS=15509/16/63, CurSects=15633072, LBA=yes, LBAsects=15633072 IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120} PIO modes: pio0 pio1 pio2 pio3 pio4 DMA modes: mdma0 mdma1 *mdma2 UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 AdvancedPM=no WriteCache=enabled Drive conforms to: device does not report version: 1 2 3 4 5 </pre> === Detailed information as reported by hdparm -I === <pre>ATA device, with non-removable media Model Number: WDC WD80EB-28CGH1 Serial Number: *************** Firmware Revision: 24.84G24 Standards: Supported: 5 4 3 2 Likely used: 6 Configuration: Logical max current cylinders 15509 15509 heads 16 16 sectors/track 63 63 -- CHS current addressable sectors: 15633072 LBA user addressable sectors: 15633072 device size with M = 1024*1024: 7633 MBytes device size with M = 1000*1000: 8004 MBytes (8 GB) Capabilities: LBA, IORDY(can be disabled) bytes avail on r/w long: 40 Queue depth: 1 Standby timer values: spec'd by Standard, with device specific minimum R/W multiple sector transfer: Max = 16 Current = 0 Recommended acoustic management value: 128, current value: 254 DMA: mdma0 mdma1 *mdma2 udma0 udma1 udma2 udma3 udma4 udma5 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * READ BUFFER cmd * WRITE BUFFER cmd * Host Protected Area feature set * Look-ahead * Write cache * Power Management feature set * Security Mode feature set * SMART feature set Automatic Acoustic Management feature set SET MAX security extension * DOWNLOAD MICROCODE cmd Security: supported enabled not locked not frozen not expired: security count not supported: enhanced erase Security level high HW reset results: CBLID- above Vih Device num = 0 determined by CSEL Checksum: correct </pre> === Hard disk performance measured by hdparm -t === <pre>Timing buffered disk reads: 64 MB in 6.58 seconds = 9.73 MB/sec Timing buffer-cache reads: 128 MB in 3.28 seconds = 39.02 MB/sec </pre> 633222ac6571f11c49999520a8467a57be1d14ef 0 3742 5538 5428 2017-05-29T12:18:02Z Espes 2484 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. The Chihiro EEPROM key is <code>7B 35 A8 B7 27 ED 43 7A A0 BA FB 8F A4 38 61 80</code> == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x5C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 219bc999647029a0353edbe5279aa3b83b656640 0 3683 5539 5535 2017-05-29T12:19:04Z Espes 2484 /* Overview */ wikitext text/x-wiki == Overview == The Xbox has a 256 KB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3. In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows an error screen and halts. == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === RC4 Decryption of the 2BL === Decryption of the 2BL seems to happen in 4 stages. ==== Stage 1 ==== Initialising the working space. The MCPX ROM seems to just write 1, 2, 3, 4.... 253, 254, 255 in memory addresses 0x8f000 to 0x850FF. This might look something like: <pre> void init_rc4() { uint32_t stack_pointer = 0x8f000; for (int iterator = 0; iterator <= 255; iterator++) { set_memory_byte(stack_pointer + iterator, iterator); } } </pre> ==== Stage 2 ==== Preparing for decryption. This gets the key from memory location 0xFFFFFFA5 and starts preparing and environment for decryption of the 2BL. <pre> void load_key() { uint32_t key_location = 0xffffffa5; uint32_t stack_pointer = 0x8f000; uint8_t i, j = 0; for (int iterator = 0; iterator <= 255; iterator++) { i = get_memory_byte(iterator + stack_pointer); j += i + get_memory_byte(key_location + (iterator % 16)); set_memory_byte(iterator+stack_pointer, get_memory_byte(j+stack_pointer)); set_memory_byte(j+stack_pointer, i); } } </pre> ==== Stage 3 ==== Perform the decryption. The MCPX reads the 2BL from 0xFFFF9E00 and decrypts it to 0x00090000. It is 24KiB in size. <pre> void decrypt() { uint32_t stack_pointer = 0x0008F000; uint32_t encrypted = 0xFFFF9E00; uint32_t decrypted = 0x00090000; uint8_t a, b, j, i = 0; i = get_memory_byte(stack_pointer + 0x100); // 0 j = get_memory_byte(stack_pointer + 0x101); // 0 for (int edi = 0; edi <= 0x6000; ++edi) { ++i; a = get_memory_byte(stack_pointer + i); j += a; b = get_memory_byte(stack_pointer + j); set_memory_byte(stack_pointer + i, b); set_memory_byte(stack_pointer + j, a); a += b; b = get_memory_byte(edi + encrypted); a = get_memory_byte(stack_pointer + a); b ^= a; set_memory_byte(edi + decrypted, b); } } </pre> ==== Stage 4 ==== Verification. Finally the MCPX reads a string from the un-encrypted 2BL and compares it to a magic number. If it matches, all was successful, and we jump to the start of the 2BL to start decrypting the kernel. <pre> void verify() { if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = 0x900000; } else { // Else, things have gone wrong eip = 0xFFFFFF94; } } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] (I cannot express enough just how helpful this page is) 261083a88b0843f6ca7e31de623d7e9f05dbfb5a 5548 5539 2017-05-29T17:51:53Z Mborgerson 2478 wikitext text/x-wiki == Overview == The Xbox has a 256 KB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3. In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows an error screen and halts. == MCPX == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = get_memory_dword(0x900000); } else { // Else, things have gone wrong eip = 0xFFFFFF94; } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] cc9733dba1d6a4c06550a1364c938709ee748128 5549 5548 2017-05-29T17:52:24Z Mborgerson 2478 wikitext text/x-wiki == Overview == The Xbox has a 256 KB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3. In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows an error screen and halts. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> if (get_memory_dword(0x95FE4) == MAGIC_NUMBER) { eip = get_memory_dword(0x900000); } else { // Else, things have gone wrong eip = 0xFFFFFF94; } </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 28aaca511aace8c282e7648d363798793e466d7b 5568 5549 2017-05-30T04:36:24Z Mborgerson 2478 wikitext text/x-wiki == Overview == The Xbox has a 256 KB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3. In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows an error screen and halts. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 2149dfaa4769069c6ef9a6e59ee9841add78a42b 5571 5568 2017-05-30T15:59:21Z JayFoxRox 2 /* Overview */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is {{FIXME|reason=What happens to this?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] e6cda6755ae00549c7454b9047b24caf639d8d78 5572 5571 2017-05-30T16:00:16Z JayFoxRox 2 /* Chain of trust */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Startup animation === === Kernel Re-initialization === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 73f8904e72e063ab53b6c62a920689a0ff0272ad 5573 5572 2017-05-30T22:59:03Z JayFoxRox 2 /* Kernel */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 01b7621f496e27ca7e8a146b91eb72abf7b6e800 5574 5573 2017-05-30T23:25:18Z JayFoxRox 2 /* Re-initialization */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: * Anything already done by Stage 1 and Stage 2 * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] aa695cba6d4dffda5260aedbdfe07c96fad7908c 5575 5574 2017-05-30T23:28:07Z JayFoxRox 2 /* Skipped initialization */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order) * Anything already done by Stage 1 and Stage 2 * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] a388bcf34c9321387b44457a12e21762f35aa746 5576 5575 2017-05-30T23:31:56Z JayFoxRox 2 /* Skipped initialization */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; uint32_t eip = 0xff000080; // Not really EIP. This is just a pointer to the next xcode uint32_t result, scratch = 0; while (run_xcodes) { opcode = get_memory_byte(eip); operand_1 = get_memory_dword(eip+1); operand_2 = get_memory_dword(eip+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { eip += operand_2; } break; case 0x09: eip += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: run_xcodes = 0; default: break; } eip += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] d6c0158b4d8b5c23d08f8079b8fbb13c74d8de11 0 3766 5540 2017-05-29T12:20:54Z Espes 2484 Created page with "Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connect..." wikitext text/x-wiki Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connected through an I²C/SMbus interface. I²C/SMBus is a slow low-cost serial bus with each device having a unique 7-bit ID. (Wikipedia has informative articles about [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/I2c I²C] and [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/SMBus SMBus], you might want to check them out.) There are only two operations of an SMBus controller: write and read. Writing means that an 8 bit command code and an 8 or 16 bit operand are sent to an SMBus device. Reading means that an 8 bit command code is sent to the device and an 8 or 16 bit answer is expected. The controller for the SMBus interface in the Xbox is a PCI device with the DevID 01B4 and it is built into MPCX southbridge. ==SMBus Controller Port Layout== {| class="wikitable" |- | '''Port''' | Description'''''' |- | 0xc000 | '''Status''' bit 0: abort bit 1: collision bit 2: protocol error bit 3: busy bit 4: cycle complete bit 5: timeout |- | 0xc002 | '''Control''' bit 2-0: cycle type bit 3: start bit 4: enable interrupt bit 5: abort |- | 0xc004 | '''Address''' |- | 0xc006 | '''Data''' |- | 0xc008 | '''Command''' |} This is very similar (but not identical) to the AMD756/AMD766/AMD768 SMBus controllers. The [https://web.archive.org/web/20100617015507/http://www.lm-sensors.nu/ lm_sensors project] includes GPLed Linux kernel code for it since version 2.6.4 (kernel/busses/i2c-amd756.c). ==SMBus Controller Programming== The following two routines illustrate how to read and write data from and to an SMBus device: <pre> int SMBusWriteCommand(unsigned char slave, unsigned char command, int isWord, unsigned short data) { again: _outp(0xc004, (slave&lt;&lt;1)&amp;0xfe); _outp(0xc008, command); _outpw(0xc006, data); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ return 1; } </pre> <pre> int SMBusReadCommand(unsigned char slave, unsigned char command, int isWord, unsigned short *data) { again: _outp(0xc004, (slave&lt;&lt;1)|0x01); _outp(0xc008, command); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ *data = _inpw(0xc006); return 1; } </pre> <br /> To avoid busy waiting of the CPU, the SMBus controller can also issue an interrupt when the operation is complete, by setting bit #4 in the control port when initiating the transfer. ==Xbox SMBus Devices== The following four devices are connected to the Xbox SMBus: {| class="wikitable" |- | '''Device''' | '''Hardware Address''' | '''Software Address''' |- | PIC16LC | 0x10 | 0x20 |- | Conexant CX25871 Video Encoder | 0x45 | 0x8a |- | ADM1032 System Temperature Monitor | 0x4c | 0x98 |- | Serial EEPROM | 0x54 | 0xa8 |} Do not confuse the hardware with the software addresses: The software ID is the hardware ID shifted by one bit left. The code above expects the hardware ID. Actually, these addresses are not literally accurate; you find that the hardware address is 0x54 for the EEPROM: the actual address of the EEPROM on the i2c bus is 1010 (0xa), however, you will also notice that 0x54 is '''1010'''100 in binary, and it seems that this 100 is also appended onto the other devices as well (although their software address is naturally read as say '''1010'''1000 - obviously because of the left shifting, however, it could be speculated that it would be possible to communicate with devices over the SMBus that are connected via i2c, so long as you knew their base address. 3a69b0c66e1241a06ff935ae9d441adc2dc4fd3b 0 3767 5541 2017-05-29T12:22:36Z Espes 2484 Created page with "Retrieved from [http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview] The Xbox is a standard PC, based on standard components, but extended with a some security solutions...." wikitext text/x-wiki Retrieved from [http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview] The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == The CPU is a standard Pentium III Coppermine mobile at 733 MHz. This CPU has been found to be a modified Pentium III, as it has many of the features a Celeron lacks. Therefore, it can be classified as a Pentium III with a smaller cache. (Regular has 256kb or more, XBox has 128kb) == Flash ROM == The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MB; 0xFFFC0000, if the ROM is 256 KB) into the but the Xbox kernel. == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == The PIC16LC is a small 8 bit processor running at 20 MHz with its own ROM, RAM and I/O lines. It controls: * Power button * Eject button * Power/error LED * DVD tray status (through extra pins to DVD drive) * Video cable type (3 pins) The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. == Video Encoder == The Xbox does not use an ordinary [https://web.archive.org/web/20100617022211/http://en.wikipedia.org/wiki/RAMDAC RAMDAC] for video output. Instead, it employs a <em>video encoder</em>. Video encoder is a chip that converts a digital pixel data stream (coming from the nVidia NV2A graphics processor) into analog video signal, just like a RAMDAC would. An ordinary RAMDAC, however, can only output VGA-style RGB signal. The video encoder used in the Xbox is more flexible, and can generate several different types of signals that adhere to various video standards and color formats. These include, but are not necessarily limited to: * VGA-style &gt;31 kHz RGB, though only with Sync-on-Green sync signals. (If needed, separate HSYNC and VSYNC signals can be obtained from the motherboard, or by building a special video cable with active electronics for stripping and separating the Sync-on-Green sync signal. In any case, separate HSYNC and VSYNC are not available directly through the AV connector.) * TV-compatible 15 kHz RGB (with composite sync) &ndash; suitable for European-style SCART RGB output (are progressive 625/50 signals supported?) * Component (Y'PbPr) signal, both in SDTV and HDTV resolutions; suitable for American-style "component" output * PAL color signal with typical PAL timings (including PAL60), in both composite (CVBS) and s-video (Y/C) formats * SECAM color signal with typical SECAM timings, in both composite (CVBS) and s-video (Y/C) formats * NTSC color signal with typical NTSC timings, in both composite (CVBS) and s-video (Y/C) formats * Black and white composite video signal without a color carrier The video encoder is also capable of PALplus style Line 23 Wide Screen Signalling (WSS), and the Xbox PIC is rigged with the capability of controlling Scart pin 8 (the ''function switching pin'', which is used as an alternative method of Wide Screen Signalling) and pin 16 (the ''fast switching pin''.) The make and model of the video encoder has varied through the times &ndash; three different video encoders have been used this far. All three are very similar in their features; they support various modes and are flexible enough to be able to output a VGA compatible signal (which is not supported by the Xbox kernel.) They are, however, not register-compatible. Two of the video encoders (namely, Conexant CX25871 and Focus FS454) also have extensive scaling and filtering functionality, which allows for [https://web.archive.org/web/20100617022211/http://scanline.ca/overscan/ overscan compensation] in desktop-style "TV out" usage. (This means that the GPU can output ordinary VGA resolutions with VGA timings and the video encoder can convert them to SDTV resolutions with TV-style timings on the fly, adding borders around the image so that a projection of the VGA framebuffer image falls within the "safe area" of the video signal.) The capabilities of the Xcalibur chip, however, remain a mystery in this regard: it is not known whether it has a scaler. All video encoders are connected to (and controlled via) <a href="/web/20100617022211/http://www.xbox-linux.org/wiki/SMBus_Controller" title="SMBus Controller">I²C/SMBus</a>. === Conexant CX25871 === [https://web.archive.org/web/20100617022211/http://www.conexant.com:9000/cgi-bin/query?mss=srchprod&amp;pg=q&amp;i=IDXPRODSRCH&amp;q=cx25870 Conexant CX25871] is a close relative of the Brooktree BT868/BT869. There is also a sister model (CX25870) without the Macrovision capability. This chip was used in Xbox versions v1.0 through v1.3. If you follow the link, you will find a product brief and a complete data sheet, with register-level programming information. === Focus FS454 === [https://web.archive.org/web/20100617022211/http://www.focusinfo.com/solutions/catalog.asp?id=30 Focus FS454] was used in v1.4 (and possibly v1.5) Xboxes. There is also a sister model (FS453) without the Macrovision capability. The data sheet containing the necessary programming information is available from the manufacturer by separate request. Copies of it have also been seen floating around the net. === Xcalibur === The "Xcalibur" video encoder is a custom chip manufactured for Microsoft. It was first used in the Xbox hardware revision 1.6. The Xbox-Linux support the Xcalibur video encoders is very limited at present (see <a href="/web/20100617022211/http://www.xbox-linux.org/wiki/Xbox_v1.6_Issues" title="Xbox v1.6 Issues">Xbox v1.6 Issues</a>). The reason for this is that there is, at least currently, no official programming documentation available for this chip. It seems the only way to find out more is through reverse-engineering techniques. Xboxes that contain the Xcalibur encoder have the firmware ROM and the PIC physically integrated into another MS-specific chip, named Xyclops. == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == The Serial EEPROM holds some settings, such as time zone, language, IP address etc., as well as the hard disk key and the Xbox serial number. == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == The Xbox graphics hardware is VGA compatible and very similar to existing nVidia graphics cards. = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting 61e508517e742fa577ed8eef8ddcb3b0f8dcc824 0 3768 5542 2017-05-29T12:23:49Z Espes 2484 Created page with "Retrieved from [http://www.xbox-linux.org/wiki/DVD-IR_Internals] by ''Rob Reilink'', 3 Mar 2003 ==Introduction== The DVD-IR remote receiver is a part of the DVD kit whi..." wikitext text/x-wiki Retrieved from [http://www.xbox-linux.org/wiki/DVD-IR_Internals] by ''Rob Reilink'', 3 Mar 2003 ==Introduction== The DVD-IR remote receiver is a part of the DVD kit which allows you to view DVDs on your Xbox. It comes together with a remote controller. Although it may seem just a simple microcontroller device with a receiver module, there is something more inside which could make it even more interesting. ==Pictures== Ok, let's start with the pictures from the internals: '''Missing image'''<br />''Dvdirfront.jpg'' <br />Image:Dvdirfront.jpg<br /><br /> '''Missing image'''<br />''Dvdirback.jpg'' <br />Image:Dvdirback.jpg<br /><br /> ==IC's== So, what is inside and what does it do? * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. ==Hacking!== As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. It should be noted though, that the ROM is probably scrambled. Also, the microcontroller could encrypt the data even more. As the mask ROM is not a proprietary device, it is known not to contain any encryption hardware. On the other hand is it quite reasonable to assume Microsoft also signed this piece of code, and the dashboard might refuse to run it if it is not signed. bc891902f582ef699e1f52cb96900f70d132f7a1 0 3692 5543 5151 2017-05-29T13:54:48Z Wayo 2479 /* Xbox Live */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. [Wikipedia] === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] 3baeb0eac433b2a2f9dcfca3f371d651337c3e39 5544 5543 2017-05-29T14:38:24Z Wayo 2479 /* Xbox Live */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.de/patents/US20040009815 Patent: Managing access to content] * [https://www.google.de/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.de/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.de/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.de/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.de/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.de/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] 83304589fb0a0ca0d5fa25ed579ebbd16293dc84 0 3678 5545 5276 2017-05-29T16:07:13Z JayFoxRox 2 wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. It's image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === === IDEXPRDT === === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only! |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] 12a73a57c84911a370e47bbcd66b41bb2fe4ee58 5546 5545 2017-05-29T16:11:19Z JayFoxRox 2 /* IDEXPRDT */ wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. It's image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only! |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] 9893f1fc2961565c63cf69e44a8d452c8c03ff11 5547 5546 2017-05-29T16:16:25Z JayFoxRox 2 wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only! |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] bbfee54b8d7a1f6783209d61521b5e7867c0adcc 5550 5547 2017-05-29T20:07:28Z JayFoxRox 2 /* STICKY */ wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only! |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] 86166624f34a6f6d09994ba24a34fcdb49c6bed9 5551 5550 2017-05-29T23:18:07Z Haxar 2485 .text and .rdata distinction wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains all x86 subroutines to be executed by the processor. === .rdata === The .rdata section contains the kernel thunk table. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 | |- |[[Kernel/AvSendTVEncoderOption]] |2 | |- |[[Kernel/AvSetDisplayMode]] |3 | |- |[[Kernel/AvSetSavedDataAddress]] |4 | |- |[[Kernel/DbgBreakPoint]] |5 | |- |[[Kernel/DbgBreakPointWithStatus]] |6 | |- |[[Kernel/DbgLoadImageSymbols]] |7 |Devkits only! |- |[[Kernel/DbgPrint]] |8 | |- |[[Kernel/HalReadSMCTrayState]] |9 | |- |[[Kernel/DbgPrompt]] |10 | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 | |- |[[Kernel/ExAllocatePool]] |14 | |- |[[Kernel/ExAllocatePoolWithTag]] |15 | |- |[[Kernel/ExEventObjectType]] |16 |Variable? |- |[[Kernel/ExFreePool]] |17 | |- |[[Kernel/ExInitializeReadWriteLock]] |18 | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 | |- |[[Kernel/ExMutantObjectType]] |22 |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 | |- |[[Kernel/ExRaiseException]] |26 | |- |[[Kernel/ExRaiseStatus]] |27 | |- |[[Kernel/ExReleaseReadWriteLock]] |28 | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 | |- |[[Kernel/ExSemaphoreObjectType]] |30 |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 | |- |[[Kernel/FscGetCacheSize]] |35 | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 | |- |[[Kernel/FscSetCacheSize]] |37 | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 | |- |[[Kernel/HalDisableSystemInterrupt]] |39 | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 | |- |[[Kernel/HalGetInterruptVector]] |44 | |- |[[Kernel/HalReadSMBusValue]] |45 | |- |[[Kernel/HalReadWritePCISpace]] |46 | |- |[[Kernel/HalRegisterShutdownNotification]] |47 | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 | |- |[[Kernel/HalReturnToFirmware]] |49 | |- |[[Kernel/HalWriteSMBusValue]] |50 | |- |[[Kernel/InterlockedCompareExchange]] |51 | |- |[[Kernel/InterlockedDecrement]] |52 | |- |[[Kernel/InterlockedIncrement]] |53 | |- |[[Kernel/InterlockedExchange]] |54 | |- |[[Kernel/InterlockedExchangeAdd]] |55 | |- |[[Kernel/InterlockedFlushSList]] |56 | |- |[[Kernel/InterlockedPopEntrySList]] |57 | |- |[[Kernel/InterlockedPushEntrySList]] |58 | |- |[[Kernel/IoAllocateIrp]] |59 | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 | |- |[[Kernel/IoCheckShareAccess]] |63 | |- |[[Kernel/IoCompletionObjectType]] |64 |Variable? |- |[[Kernel/IoCreateDevice]] |65 | |- |[[Kernel/IoCreateFile]] |66 | |- |[[Kernel/IoCreateSymbolicLink]] |67 | |- |[[Kernel/IoDeleteDevice]] |68 | |- |[[Kernel/IoDeleteSymbolicLink]] |69 | |- |[[Kernel/IoDeviceObjectType]] |70 |Variable? |- |[[Kernel/IoFileObjectType]] |71 |Variable? |- |[[Kernel/IoFreeIrp]] |72 | |- |[[Kernel/IoInitializeIrp]] |73 | |- |[[Kernel/IoInvalidDeviceRequest]] |74 | |- |[[Kernel/IoQueryFileInformation]] |75 | |- |[[Kernel/IoQueryVolumeInformation]] |76 | |- |[[Kernel/IoQueueThreadIrp]] |77 | |- |[[Kernel/IoRemoveShareAccess]] |78 | |- |[[Kernel/IoSetIoCompletion]] |79 | |- |[[Kernel/IoSetShareAccess]] |80 | |- |[[Kernel/IoStartNextPacket]] |81 | |- |[[Kernel/IoStartNextPacketByKey]] |82 | |- |[[Kernel/IoStartPacket]] |83 | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 | |- |[[Kernel/IoSynchronousFsdRequest]] |85 | |- |[[Kernel/IofCallDriver]] |86 | |- |[[Kernel/IofCompleteRequest]] |87 | |- |[[Kernel/KdDebuggerEnabled]] |88 |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |Variable? |- |[[Kernel/IoDismountVolume]] |90 | |- |[[Kernel/IoDismountVolumeByName]] |91 | |- |[[Kernel/KeAlertResumeThread]] |92 | |- |[[Kernel/KeAlertThread]] |93 | |- |[[Kernel/KeBoostPriorityThread]] |94 | |- |[[Kernel/KeBugCheck]] |95 | |- |[[Kernel/KeBugCheckEx]] |96 | |- |[[Kernel/KeCancelTimer]] |97 | |- |[[Kernel/KeConnectInterrupt]] |98 | |- |[[Kernel/KeDelayExecutionThread]] |99 | |- |[[Kernel/KeDisconnectInterrupt]] |100 | |- |[[Kernel/KeEnterCriticalRegion]] |101 | |- |[[Kernel/MmGlobalData]] |102 |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 | |- |[[Kernel/KeGetCurrentThread]] |104 | |- |[[Kernel/KeInitializeApc]] |105 | |- |[[Kernel/KeInitializeDeviceQueue]] |106 | |- |[[Kernel/KeInitializeDpc]] |107 | |- |[[Kernel/KeInitializeEvent]] |108 | |- |[[Kernel/KeInitializeInterrupt]] |109 | |- |[[Kernel/KeInitializeMutant]] |110 | |- |[[Kernel/KeInitializeQueue]] |111 | |- |[[Kernel/KeInitializeSemaphore]] |112 | |- |[[Kernel/KeInitializeTimerEx]] |113 | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 | |- |[[Kernel/KeInsertDeviceQueue]] |115 | |- |[[Kernel/KeInsertHeadQueue]] |116 | |- |[[Kernel/KeInsertQueue]] |117 | |- |[[Kernel/KeInsertQueueApc]] |118 | |- |[[Kernel/KeInsertQueueDpc]] |119 | |- |[[Kernel/KeInterruptTime]] |120 |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 | |- |[[Kernel/KeLeaveCriticalRegion]] |122 | |- |[[Kernel/KePulseEvent]] |123 | |- |[[Kernel/KeQueryBasePriorityThread]] |124 | |- |[[Kernel/KeQueryInterruptTime]] |125 | |- |[[Kernel/KeQueryPerformanceCounter]] |126 | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 | |- |[[Kernel/KeQuerySystemTime]] |128 | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 | |- |[[Kernel/KeReleaseMutant]] |131 | |- |[[Kernel/KeReleaseSemaphore]] |132 | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 | |- |[[Kernel/KeRemoveDeviceQueue]] |134 | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 | |- |[[Kernel/KeRemoveQueue]] |136 | |- |[[Kernel/KeRemoveQueueDpc]] |137 | |- |[[Kernel/KeResetEvent]] |138 | |- |[[Kernel/KeRestoreFloatingPointState]] |139 | |- |[[Kernel/KeResumeThread]] |140 | |- |[[Kernel/KeRundownQueue]] |141 | |- |[[Kernel/KeSaveFloatingPointState]] |142 | |- |[[Kernel/KeSetBasePriorityThread]] |143 | |- |[[Kernel/KeSetDisableBoostThread]] |144 | |- |[[Kernel/KeSetEvent]] |145 | |- |[[Kernel/KeSetEventBoostPriority]] |146 | |- |[[Kernel/KeSetPriorityProcess]] |147 | |- |[[Kernel/KeSetPriorityThread]] |148 | |- |[[Kernel/KeSetTimer]] |149 | |- |[[Kernel/KeSetTimerEx]] |150 | |- |[[Kernel/KeStallExecutionProcessor]] |151 | |- |[[Kernel/KeSuspendThread]] |152 | |- |[[Kernel/KeSynchronizeExecution]] |153 | |- |[[Kernel/KeSystemTime]] |154 |Variable? |- |[[Kernel/KeTestAlertThread]] |155 | |- |[[Kernel/KeTickCount]] |156 |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 | |- |[[Kernel/KeWaitForSingleObject]] |159 | |- |[[Kernel/KfRaiseIrql]] |160 | |- |[[Kernel/KfLowerIrql]] |161 | |- |[[Kernel/KiBugCheckData]] |162 |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 | |- |[[Kernel/LaunchDataPage]] |164 |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 | |- |[[Kernel/MmAllocateSystemMemory]] |167 | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 | |- |[[Kernel/MmCreateKernelStack]] |169 | |- |[[Kernel/MmDeleteKernelStack]] |170 | |- |[[Kernel/MmFreeContiguousMemory]] |171 | |- |[[Kernel/MmFreeSystemMemory]] |172 | |- |[[Kernel/MmGetPhysicalAddress]] |173 | |- |[[Kernel/MmIsAddressValid]] |174 | |- |[[Kernel/MmLockUnlockBufferPages]] |175 | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 | |- |[[Kernel/MmMapIoSpace]] |177 | |- |[[Kernel/MmPersistContiguousMemory]] |178 | |- |[[Kernel/MmQueryAddressProtect]] |179 | |- |[[Kernel/MmQueryAllocationSize]] |180 | |- |[[Kernel/MmQueryStatistics]] |181 | |- |[[Kernel/MmSetAddressProtect]] |182 | |- |[[Kernel/MmUnmapIoSpace]] |183 | |- |[[Kernel/NtAllocateVirtualMemory]] |184 | |- |[[Kernel/NtCancelTimer]] |185 | |- |[[Kernel/NtClearEvent]] |186 | |- |[[Kernel/NtClose]] |187 | |- |[[Kernel/NtCreateDirectoryObject]] |188 | |- |[[Kernel/NtCreateEvent]] |189 | |- |[[Kernel/NtCreateFile]] |190 | |- |[[Kernel/NtCreateIoCompletion]] |191 | |- |[[Kernel/NtCreateMutant]] |192 | |- |[[Kernel/NtCreateSemaphore]] |193 | |- |[[Kernel/NtCreateTimer]] |194 | |- |[[Kernel/NtDeleteFile]] |195 | |- |[[Kernel/NtDeviceIoControlFile]] |196 | |- |[[Kernel/NtDuplicateObject]] |197 | |- |[[Kernel/NtFlushBuffersFile]] |198 | |- |[[Kernel/NtFreeVirtualMemory]] |199 | |- |[[Kernel/NtFsControlFile]] |200 | |- |[[Kernel/NtOpenDirectoryObject]] |201 | |- |[[Kernel/NtOpenFile]] |202 | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 | |- |[[Kernel/NtProtectVirtualMemory]] |204 | |- |[[Kernel/NtPulseEvent]] |205 | |- |[[Kernel/NtQueueApcThread]] |206 | |- |[[Kernel/NtQueryDirectoryFile]] |207 | |- |[[Kernel/NtQueryDirectoryObject]] |208 | |- |[[Kernel/NtQueryEvent]] |209 | |- |[[Kernel/NtQueryFullAttributesFile]] |210 | |- |[[Kernel/NtQueryInformationFile]] |211 | |- |[[Kernel/NtQueryIoCompletion]] |212 | |- |[[Kernel/NtQueryMutant]] |213 | |- |[[Kernel/NtQuerySemaphore]] |214 | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 | |- |[[Kernel/NtQueryTimer]] |216 | |- |[[Kernel/NtQueryVirtualMemory]] |217 | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 | |- |[[Kernel/NtReadFile]] |219 | |- |[[Kernel/NtReadFileScatter]] |220 | |- |[[Kernel/NtReleaseMutant]] |221 | |- |[[Kernel/NtReleaseSemaphore]] |222 | |- |[[Kernel/NtRemoveIoCompletion]] |223 | |- |[[Kernel/NtResumeThread]] |224 | |- |[[Kernel/NtSetEvent]] |225 | |- |[[Kernel/NtSetInformationFile]] |226 | |- |[[Kernel/NtSetIoCompletion]] |227 | |- |[[Kernel/NtSetSystemTime]] |228 | |- |[[Kernel/NtSetTimerEx]] |229 | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 | |- |[[Kernel/NtSuspendThread]] |231 | |- |[[Kernel/NtUserIoApcDispatcher]] |232 | |- |[[Kernel/NtWaitForSingleObject]] |233 | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 | |- |[[Kernel/NtWriteFile]] |236 | |- |[[Kernel/NtWriteFileGather]] |237 | |- |[[Kernel/NtYieldExecution]] |238 | |- |[[Kernel/ObCreateObject]] |239 | |- |[[Kernel/ObDirectoryObjectType]] |240 |Variable? |- |[[Kernel/ObInsertObject]] |241 | |- |[[Kernel/ObMakeTemporaryObject]] |242 | |- |[[Kernel/ObOpenObjectByName]] |243 | |- |[[Kernel/ObOpenObjectByPointer]] |244 | |- |[[Kernel/ObpObjectHandleTable]] |245 |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 | |- |[[Kernel/ObReferenceObjectByName]] |247 | |- |[[Kernel/ObReferenceObjectByPointer]] |248 | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 | |- |[[Kernel/ObfReferenceObject]] |251 | |- |[[Kernel/PhyGetLinkState]] |252 | |- |[[Kernel/PhyInitialize]] |253 | |- |[[Kernel/PsCreateSystemThread]] |254 | |- |[[Kernel/PsCreateSystemThreadEx]] |255 | |- |[[Kernel/PsQueryStatistics]] |256 | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 | |- |[[Kernel/PsTerminateSystemThread]] |258 | |- |[[Kernel/PsThreadObjectType]] |259 |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 | |- |[[Kernel/RtlAppendStringToString]] |261 | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 | |- |[[Kernel/RtlAppendUnicodeToString]] |263 | |- |[[Kernel/RtlAssert]] |264 | |- |[[Kernel/RtlCaptureContext]] |265 | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 | |- |[[Kernel/RtlCharToInteger]] |267 | |- |[[Kernel/RtlCompareMemory]] |268 | |- |[[Kernel/RtlCompareMemoryUlong]] |269 | |- |[[Kernel/RtlCompareString]] |270 | |- |[[Kernel/RtlCompareUnicodeString]] |271 | |- |[[Kernel/RtlCopyString]] |272 | |- |[[Kernel/RtlCopyUnicodeString]] |273 | |- |[[Kernel/RtlCreateUnicodeString]] |274 | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 | |- |[[Kernel/RtlEnterCriticalSection]] |277 | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 | |- |[[Kernel/RtlEqualString]] |279 | |- |[[Kernel/RtlEqualUnicodeString]] |280 | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 | |- |[[Kernel/RtlExtendedMagicDivide]] |283 | |- |[[Kernel/RtlFillMemory]] |284 | |- |[[Kernel/RtlFillMemoryUlong]] |285 | |- |[[Kernel/RtlFreeAnsiString]] |286 | |- |[[Kernel/RtlFreeUnicodeString]] |287 | |- |[[Kernel/RtlGetCallersAddress]] |288 | |- |[[Kernel/RtlInitAnsiString]] |289 | |- |[[Kernel/RtlInitUnicodeString]] |290 | |- |[[Kernel/RtlInitializeCriticalSection]] |291 | |- |[[Kernel/RtlIntegerToChar]] |292 | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 | |- |[[Kernel/RtlLeaveCriticalSection]] |294 | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 | |- |[[Kernel/RtlLowerChar]] |296 | |- |[[Kernel/RtlMapGenericMask]] |297 | |- |[[Kernel/RtlMoveMemory]] |298 | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 | |- |[[Kernel/RtlNtStatusToDosError]] |301 | |- |[[Kernel/RtlRaiseException]] |302 | |- |[[Kernel/RtlRaiseStatus]] |303 | |- |[[Kernel/RtlTimeFieldsToTime]] |304 | |- |[[Kernel/RtlTimeToTimeFields]] |305 | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 | |- |[[Kernel/RtlUlongByteSwap]] |307 | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 | |- |[[Kernel/RtlUnwind]] |312 | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 | |- |[[Kernel/RtlUpperChar]] |316 | |- |[[Kernel/RtlUpperString]] |317 | |- |[[Kernel/RtlUshortByteSwap]] |318 | |- |[[Kernel/RtlWalkFrameChain]] |319 | |- |[[Kernel/RtlZeroMemory]] |320 | |- |[[Kernel/XboxEEPROMKey]] |321 |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |Variable? |- |[[Kernel/XboxHDKey]] |323 |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |Variable? |- |[[Kernel/XeImageFileName]] |326 |Variable? |- |[[Kernel/XeLoadSection]] |327 | |- |[[Kernel/XeUnloadSection]] |328 | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 | |- |[[Kernel/XcSHAInit]] |335 | |- |[[Kernel/XcSHAUpdate]] |336 | |- |[[Kernel/XcSHAFinal]] |337 | |- |[[Kernel/XcRC4Key]] |338 | |- |[[Kernel/XcRC4Crypt]] |339 | |- |[[Kernel/XcHMAC]] |340 | |- |[[Kernel/XcPKEncPublic]] |341 | |- |[[Kernel/XcPKDecPrivate]] |342 | |- |[[Kernel/XcPKGetKeyLen]] |343 | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 | |- |[[Kernel/XcModExp]] |345 | |- |[[Kernel/XcDESKeyParity]] |346 | |- |[[Kernel/XcKeyTable]] |347 | |- |[[Kernel/XcBlockCrypt]] |348 | |- |[[Kernel/XcBlockCryptCBC]] |349 | |- |[[Kernel/XcCryptService]] |350 | |- |[[Kernel/XcUpdateCrypto]] |351 | |- |[[Kernel/RtlRip]] |352 | |- |[[Kernel/XboxLANKey]] |353 | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |Variable? |- |[[Kernel/XePublicKeyData]] |355 |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |Variable? |- |[[Kernel/IdexChannelObject]] |357 |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 | |- |[[Kernel/IoMarkIrpMustComplete]] |359 | |- |[[Kernel/HalInitiateShutdown]] |360 | |- |[[Kernel/RtlSnprintf]] |361 |Unused? |- |[[Kernel/RtlSprintf]] |362 |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |Unused? |- |[[Kernel/RtlVsprintf]] |364 |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 | |- | |367 |Unused? |- | |368 |Unused? |- | |369 |Unused? |- | |370 |Unused? |- | |371 |Unused? |- | |372 |Unused? |- | |373 |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |Devkits only! |} == See Also == [[Hard Drive Files]] 268a8aee4299ba6b05a9a63526cddf458fea6785 5552 5551 2017-05-29T23:49:21Z Haxar 2485 Added Calling Convention definitions wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains all x86 subroutines to be executed by the processor. === .rdata === The .rdata section contains the kernel thunk table. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 |stdcall |Variable? |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 |stdcall |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 |stdcall |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |stdcall |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |stdcall |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |stdcall |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |stdcall |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 |stdcall |Variable? |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 |stdcall |Variable? |- |[[Kernel/IoFileObjectType]] |71 |stdcall |Variable? |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 |stdcall |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |stdcall |Variable? |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 |stdcall |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 |stdcall |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 |stdcall |Variable? |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 |stdcall |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |stdcall |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 |stdcall |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 |stdcall |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 |stdcall |Variable? |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 |stdcall |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |stdcall |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 |stdcall |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 |stdcall |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |stdcall |Variable? |- |[[Kernel/XboxHDKey]] |323 |stdcall |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |stdcall |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |stdcall |Variable? |- |[[Kernel/XeImageFileName]] |326 |stdcall |Variable? |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 |stdcall | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |stdcall |Variable? |- |[[Kernel/XePublicKeyData]] |355 |stdcall |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |stdcall |Variable? |- |[[Kernel/IdexChannelObject]] |357 |stdcall |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} == See Also == [[Hard Drive Files]] bb568f6ead9cf97c5dfb0af52adddda0cc16aef1 5553 5552 2017-05-29T23:52:42Z Haxar 2485 Undo revision 5551: whoops... should go to the XBE page wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 |stdcall |Variable? |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 |stdcall |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 |stdcall |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |stdcall |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |stdcall |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |stdcall |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |stdcall |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 |stdcall |Variable? |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 |stdcall |Variable? |- |[[Kernel/IoFileObjectType]] |71 |stdcall |Variable? |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 |stdcall |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |stdcall |Variable? |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 |stdcall |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 |stdcall |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 |stdcall |Variable? |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 |stdcall |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |stdcall |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 |stdcall |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 |stdcall |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 |stdcall |Variable? |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 |stdcall |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |stdcall |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 |stdcall |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 |stdcall |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |stdcall |Variable? |- |[[Kernel/XboxHDKey]] |323 |stdcall |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |stdcall |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |stdcall |Variable? |- |[[Kernel/XeImageFileName]] |326 |stdcall |Variable? |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 |stdcall | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |stdcall |Variable? |- |[[Kernel/XePublicKeyData]] |355 |stdcall |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |stdcall |Variable? |- |[[Kernel/IdexChannelObject]] |357 |stdcall |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} == See Also == [[Hard Drive Files]] d4dad83a62efce1f3cd201174542e30c2a9adef9 5569 5553 2017-05-30T15:47:11Z JayFoxRox 2 /* See Also */ wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. Later kernels{{FIXME|reason=Which revision?}} will discard this section after initialization. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 |stdcall |Variable? |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 |stdcall |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 |stdcall |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |stdcall |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |stdcall |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |stdcall |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |stdcall |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 |stdcall |Variable? |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 |stdcall |Variable? |- |[[Kernel/IoFileObjectType]] |71 |stdcall |Variable? |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 |stdcall |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |stdcall |Variable? |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 |stdcall |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 |stdcall |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 |stdcall |Variable? |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 |stdcall |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |stdcall |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 |stdcall |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 |stdcall |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 |stdcall |Variable? |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 |stdcall |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |stdcall |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 |stdcall |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 |stdcall |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |stdcall |Variable? |- |[[Kernel/XboxHDKey]] |323 |stdcall |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |stdcall |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |stdcall |Variable? |- |[[Kernel/XeImageFileName]] |326 |stdcall |Variable? |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 |stdcall | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |stdcall |Variable? |- |[[Kernel/XePublicKeyData]] |355 |stdcall |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |stdcall |Variable? |- |[[Kernel/IdexChannelObject]] |357 |stdcall |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 69604c5f13af635778476b22d15b16e8727a3264 0 3769 5554 2017-05-30T00:01:29Z Haxar 2485 Created page with "=== .text === The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. === .rdata === The .rdata section contains the Kernel|kernel thunk t..." wikitext text/x-wiki === .text === The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. === .rdata === The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. 3e0b29dca2b9be0d57c908919dec3f45839b4d9d 5562 5554 2017-05-30T01:13:05Z Haxar 2485 An XBE page already exists. wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 5563 5562 2017-05-30T01:14:59Z Haxar 2485 Redirected page to [[Xbe]] wikitext text/x-wiki #REDIRECT [[Xbe]] 31effefe95bd7e24787724412bc6178afa0aaf6d 0 1 5555 5500 2017-05-30T00:04:11Z Haxar 2485 /* System Software */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk NXDK (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] 805e684e96bd965f492de0a9a2de636fab3045eb 2 3770 5556 2017-05-30T00:41:03Z Haxar 2485 Created page with "=== GitHub === * [https://github.com/haxar/cxbx-shogun Cxbx w/ Wine support.] === R&D === * [[User:Haxar/fastcall|fastcall routines from rgrep]]" wikitext text/x-wiki === GitHub === * [https://github.com/haxar/cxbx-shogun Cxbx w/ Wine support.] === R&D === * [[User:Haxar/fastcall|fastcall routines from rgrep]] 574d358c48a2ba70de5ea4714ebf7ed3f8e79ff8 2 3771 5557 2017-05-30T00:47:38Z Haxar 2485 Created page with "=== fastcall routines from rgrep === All kernel and library routines are '''stdcall''' unless noted otherwise: <pre> FASTCALL D3DDevice_SetRenderState_Deferred FASTCALL D3DDe..." wikitext text/x-wiki === fastcall routines from rgrep === All kernel and library routines are '''stdcall''' unless noted otherwise: <pre> FASTCALL D3DDevice_SetRenderState_Deferred FASTCALL D3DDevice_SetRenderState_Simple FASTCALL D3DDevice_SetTextureState_Deferred FASTCALL D3DDevice_SetVertexShaderConstant1 FASTCALL D3DDevice_SetVertexShaderConstant1Fast FASTCALL D3DDevice_SetVertexShaderConstant4 FASTCALL D3DDevice_SetVertexShaderConstantNotInline FASTCALL D3DDevice_SetVertexShaderConstantNotInlineFast FASTCALL D3DDevice_SwitchTexture FASTCALL DmProfileDpcDispatchNotifyCallback FASTCALL DmProfileThreadSwitchNotifyCallback FASTCALL ExAcquireFastMutex FASTCALL ExAcquireFastMutexUnsafe FASTCALL ExfInterlockedInsertTailList FASTCALL ExfInterlockedRemoveHeadList FASTCALL ExInterlockedAddLargeStatistic FASTCALL ExInterlockedAddUlong FASTCALL ExInterlockedCompareExchange64 FASTCALL ExInterlockedFlushSList FASTCALL ExInterlockedInsertHeadList FASTCALL ExInterlockedInsertTailList FASTCALL ExInterlockedPopEntryList FASTCALL ExInterlockedPopEntrySList FASTCALL ExInterlockedPushEntryList FASTCALL ExInterlockedPushEntrySList FASTCALL ExInterlockedRemoveHeadList FASTCALL ExReleaseFastMutex FASTCALL ExReleaseFastMutexUnsafe FASTCALL FlashReadMSR FASTCALL FlashWriteMSR FASTCALL fProcessBrainBoxData FASTCALL FscSetCacheBufferProtection FASTCALL GetTypeInformation FASTCALL HalBeginClockInterrupt FASTCALL HalBeginProfileInterrupt FASTCALL HalBeginSMBusInterrupt FASTCALL HalBeginSystemControlInterrupt FASTCALL HalBeginSystemInterrupt FASTCALL HalClearSoftwareInterrupt FASTCALL HalEndSystemInterrupt FASTCALL HalEndSystemLevelInterrupt FASTCALL HalRequestSoftwareInterrupt FASTCALL IdexCdRomStartCheckVerify FASTCALL IdexCdRomStartEndSession FASTCALL IdexCdRomStartGetDriveGeometry FASTCALL IdexCdRomStartRawRead FASTCALL IdexCdRomStartReadKey FASTCALL IdexCdRomStartReadTOC FASTCALL IdexCdRomStartScsiPassThrough FASTCALL IdexCdRomStartSendKey FASTCALL IdexCdRomStartSetSpindleSpeed FASTCALL IdexCdRomStartStartSession FASTCALL IdexChannelInvalidParameterRequest FASTCALL IdexChannelPrepareBufferTransfer FASTCALL IdexChannelSpinWhileBusy FASTCALL IdexChannelSpinWhileBusyAndNotDrq FASTCALL IdexDiskStartFlushBuffers FASTCALL IdexDiskStartReadWrite FASTCALL IdexDiskStartVerify FASTCALL IdexMediaBoardStartReadWrite FASTCALL InterlockedCompareExchange FASTCALL InterlockedDecrement FASTCALL InterlockedExchange FASTCALL InterlockedExchangeAdd FASTCALL InterlockedFlushSList FASTCALL InterlockedIncrement FASTCALL InterlockedPopEntrySList FASTCALL InterlockedPushEntrySList FASTCALL IofCallDriver FASTCALL IofCompleteRequest FASTCALL IopAcquireFileObjectLock FASTCALL IopReleaseFileObjectLock FASTCALL KeAcquireSpinLockRaiseToSynch FASTCALL KefAcquireSpinLockAtDpcLevel FASTCALL KefReleaseSpinLockFromDpcLevel FASTCALL KfAcquireSpinLock FASTCALL KfLowerIrql FASTCALL KfRaiseIrql FASTCALL KfReleaseSpinLock FASTCALL KiAcquireSpinLock FASTCALL KiActivateWaiterQueue FASTCALL KiComputeWaitInterval FASTCALL KiDpcDispatchNotify FASTCALL KiFindReadyThread FASTCALL KiInsertQueue FASTCALL KiInsertQueueApc FASTCALL KiInsertTimerTable FASTCALL KiInsertTreeTimer FASTCALL KiReadyThread FASTCALL KiReinsertTreeTimer FASTCALL KiReleaseSpinLock FASTCALL KiSelectNextThread FASTCALL KiSetPriorityThread FASTCALL KiSwapThread FASTCALL KiTimerListExpire FASTCALL KiUnlockDispatcherDatabase FASTCALL KiUnwaitThread FASTCALL KiWaitSatisfyAll FASTCALL KiWaitSatisfyAny FASTCALL KiWaitSatisfyMutant FASTCALL KiWaitSatisfyOther FASTCALL KiWaitTest FASTCALL MiDecodePteProtectionMask FASTCALL MiGetFirstNode FASTCALL MiGetNextNode FASTCALL MiGetPreviousNode FASTCALL MiInsertNode FASTCALL MiInsertPageInFreeList FASTCALL MiLocateAddress FASTCALL MiLocateAddressInTree FASTCALL MiMakePteProtectionMask FASTCALL MiMakeSystemPteProtectionMask FASTCALL MiReleasePageOwnership FASTCALL MiRelocateBusyPage FASTCALL MiRemoveAnyPage FASTCALL MiRemoveAnyPageFromFreeList FASTCALL MiRemoveDebuggerPage FASTCALL MiRemoveNode FASTCALL MiRemovePageFromFreeList FASTCALL MiRemoveZeroPage FASTCALL MiZeroAndFlushPtes FASTCALL MU_fCbwTransfer FASTCALL MU_fCloseEndpoints FASTCALL MU_fCswTransfer FASTCALL MU_fDataTransfer FASTCALL MU_fDiskReadDriveCapacity FASTCALL MU_fDiskReadWrite FASTCALL MU_fDiskVerify FASTCALL MU_fMarkWriteBufferCorrupt FASTCALL MU_fMrbErrorHandler FASTCALL MU_fStartMrb FASTCALL MU_fValidateMrb FASTCALL MU_fVscCommand FASTCALL ObfDereferenceObject FASTCALL ObfReferenceObject FASTCALL ObpComputeHashIndex FASTCALL OHCD_fAbortEndpoint FASTCALL OHCD_fCancelQueuedUrbs FASTCALL OHCD_fCleanEndpointTDs FASTCALL OHCD_fCloseEndpoint FASTCALL OHCD_fCompleteRequest FASTCALL OHCD_fCreditTDQuota FASTCALL OHCD_fDequeueBulkTransfer FASTCALL OHCD_fDequeueControlTransfer FASTCALL OHCD_fDequeueInterruptTransfer FASTCALL OHCD_fGetEndpointState FASTCALL OHCD_fGetTDsRequired FASTCALL OHCD_fIsochAttachBuffer FASTCALL OHCD_fIsochCloseEndpoint FASTCALL OHCD_fIsochCompleteCloseEndpoint FASTCALL OHCD_fIsochOpenEndpoint FASTCALL OHCD_fIsochProcessTD FASTCALL OHCD_fIsochStartTransfer FASTCALL OHCD_fIsochStopTransfer FASTCALL OHCD_fMapTransfer FASTCALL OHCD_fOpenEndpoint FASTCALL OHCD_fPauseEndpoint FASTCALL OHCD_fPoolFindLostDoneHead FASTCALL OHCD_fPoolInit FASTCALL OHCD_fProcessAbortPendingList FASTCALL OHCD_fProcessCancelPendingList FASTCALL OHCD_fProcessClosePendingList FASTCALL OHCD_fProcessDoneTD FASTCALL OHCD_fProcessFailedTD FASTCALL OHCD_fProgramBulkTransfer FASTCALL OHCD_fProgramControlTransfer FASTCALL OHCD_fProgramInterruptTransfer FASTCALL OHCD_fProgramTransfer FASTCALL OHCD_fQueueBulkTransfer FASTCALL OHCD_fQueueControlTransfer FASTCALL OHCD_fQueueInterruptTransfer FASTCALL OHCD_fQueueTransferRequest FASTCALL OHCD_fSetEndpointState FASTCALL OHCD_fSetResources FASTCALL OHCD_Get32BitFrameNumber FASTCALL OHCD_HookNewEndpointToChildren FASTCALL OHCD_ReverseBits FASTCALL OHCD_RootHubInitialize FASTCALL OHCD_RootHubProcessHotPlug FASTCALL OHCD_RootHubProcessInterrupt FASTCALL OHCD_ScheduleAddEndpointControlOrBulk FASTCALL OHCD_ScheduleAddEndpointPeriodic FASTCALL OHCD_ScheduleInitialize FASTCALL OHCD_ScheduleRemoveEndpointControlOrBulk FASTCALL OHCD_ScheduleRemoveEndpointPeriodic FASTCALL PFMM FASTCALL PFN_PROCESS_NEWDATA FASTCALL PFOFSC FASTCALL PFOFSTM FASTCALL PFOFSTMED FASTCALL PPROCESSOR_IDLE_FUNCTION FASTCALL PPROCESSOR_IDLE_HANDLER FASTCALL PSET_PROCESSOR_THROTTLE FASTCALL PSWAP_CONTEXT_NOTIFY_ROUTINE FASTCALL PTHREAD_SELECT_NOTIFY_ROUTINE FASTCALL PTIME_UPDATE_NOTIFY_ROUTINE FASTCALL RDMSR FASTCALL RtlFindFirstSetRightMember FASTCALL RtlpInterlockedPopEntrySList FASTCALL RtlpInterlockedPushEntrySList FASTCALL RtlUlongByteSwap FASTCALL RtlUlonglongByteSwap FASTCALL RtlUshortByteSwap FASTCALL USBD_AllocateUsbAddress FASTCALL USBD_fDeviceAbortEnum2 FASTCALL USBD_fDeviceEnumStage1 FASTCALL USBD_fDeviceEnumStage4 FASTCALL USBD_FreeUsbAddress FASTCALL USBD_LoadClassDriver FASTCALL VideoPortInterlockedDecrement FASTCALL VideoPortInterlockedExchange FASTCALL VideoPortInterlockedIncrement FASTCALL XDCS_fCompleteRemove FASTCALL XDCS_fCreateBufferEvents FASTCALL XDCS_fDownloadFile FASTCALL XDCS_fRandomBlock FASTCALL XDCS_fVerifyFile FASTCALL XID_fCloseDevice FASTCALL XID_fCloseEndpoints FASTCALL XID_fFindNode FASTCALL XID_fOpenDevice FASTCALL XID_fOpenEndpoints FASTCALL XID_fOutputComplete1 FASTCALL XID_fRemoveDeviceComplete FASTCALL XID_fSendDeviceReport FASTCALL XID_ProcessGamepadData FASTCALL XID_ProcessIRRemoteData FASTCALL XID_ProcessNewKeyboardData FASTCALL XProfpDpcDispatchNotifyCallback FASTCALL XProfpThreadSwitchNotifyCallback </pre> 938601a8040de1cac3ae9e00e3fe4921f791b652 0 3701 5558 5183 2017-05-30T00:50:22Z JayFoxRox 2 wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPDTR section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [[https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec]] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x0B || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] f425fe9ad0e0302676c2c13458321332f9177d09 5559 5558 2017-05-30T00:50:46Z JayFoxRox 2 wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPDTR section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x0B || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] 153d5a7e9cc79e58d2b0d0f55e57ee94c93616e7 5560 5559 2017-05-30T01:09:05Z JayFoxRox 2 /* Guest to host communication */ wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPDTR section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? eax points to a zero terminated list of pointers into the kernel memory [7 elements] |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? " [4 elements] |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? Seems to be some call to that address?! |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? " [3 elements] |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x0B || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] 5872926fc0981b6fc6d772cca64a32ddfb3a2317 5564 5560 2017-05-30T01:34:09Z JayFoxRox 2 /* Guest to host communication */ wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPDTR section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? eax points to a zero terminated list of pointers into the kernel memory [7 elements] |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? " [4 elements] |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? Seems to be some call to that address?! |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? " [3 elements] |- | colspan="3" | Cleaner list starts here {{FIXME}} |- | 0x04 || 0x20 || |- | 0x04 || 0x20 || |- | 0x04 || 0x21 || |- | 0x04 || 0x22 || |- | 0x04 || 0x23 || |- | 0x04 || 0x24 || |- | 0x04 || 0x35 || |- | 0x04 || 0x50 || |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? Memory is 0x00 filled before. location is 0x8002b420, size would be 0x3000 |- | 0x06 || 0x02 || |- | 0x06 || 0x20 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x21 || |- | 0x06 || 0x22 || |- | 0x06 || 0x23 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x24 || |- | 0x06 || 0x25 || |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x40 || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] d135ef2dd86acc8779c34deb3d5db318cd2f5c9c 5565 5564 2017-05-30T01:35:09Z JayFoxRox 2 /* Modifications to xboxkrnl.exe */ wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPRDT section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? eax points to a zero terminated list of pointers into the kernel memory [7 elements] |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? " [4 elements] |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? Seems to be some call to that address?! |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? " [3 elements] |- | colspan="3" | Cleaner list starts here {{FIXME}} |- | 0x04 || 0x20 || |- | 0x04 || 0x20 || |- | 0x04 || 0x21 || |- | 0x04 || 0x22 || |- | 0x04 || 0x23 || |- | 0x04 || 0x24 || |- | 0x04 || 0x35 || |- | 0x04 || 0x50 || |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? Memory is 0x00 filled before. location is 0x8002b420, size would be 0x3000 |- | 0x06 || 0x02 || |- | 0x06 || 0x20 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x21 || |- | 0x06 || 0x22 || |- | 0x06 || 0x23 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x24 || |- | 0x06 || 0x25 || |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x40 || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] 55a3660831aeeb3fd60c712753a9e8ad78bf9c0a 0 3706 5561 5444 2017-05-30T01:12:09Z Haxar 2485 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === === .text === The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. === .rdata === The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 0207583500904b0e791bb3eae30191731ab8daca 5566 5561 2017-05-30T01:47:17Z JayFoxRox 2 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 2f2a65f4501c0cc93c7d7f338fe064ce176c4ea5 0 3681 5567 5192 2017-05-30T03:47:43Z Haxar 2485 A better reference for the Xbox processor. wikitext text/x-wiki The CPU in the Xbox was a custom Pentium 3 running at 733MHz. The 'custom' part of this was that that the Pentium 3 in the Xbox was that it had only 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] (This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. 3ed0885f9232e9bcb86d83b8fee372c8f09c9001 0 3772 5570 2017-05-30T15:47:27Z JayFoxRox 2 Created page with "== See Also == [[Hard Drive Files]]" wikitext text/x-wiki == See Also == [[Hard Drive Files]] 0a88e6da820ed867351330df4995dac9a64274c8 0 3773 5577 2017-05-31T08:19:56Z Espes 2484 Created page with " Retrieved from [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/wiki/The_Hidden_Boot_Code_of_the_Xbox] or '''"How to fit three bugs in 512 bytes of secu..." wikitext text/x-wiki Retrieved from [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/wiki/The_Hidden_Boot_Code_of_the_Xbox] or '''"How to fit three bugs in 512 bytes of security code"''' by [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/wiki/User:Michael_Steil Michael Steil] Note: This article is partially incomplete. It is superseded by the more detailed article [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/wiki/The_Hidden_Boot_Code_of_the_Xbox 17 Mistakes Microsoft Made in the Xbox Security System] In order to lock out both copied games as well as homebrew software, including the GNU/Linux operating system, Microsoft built a chain of trust on the Xbox reaching from the hardware to the execution of game code, in order to avoid the infiltration of code that has not been authorized by Microsoft. The link between hardware and software in this chain of trust is the hidden "MCPX" boot ROM. The principles, the implementations and the security vulnerabilities of this 512 bytes ROM will be discussed in this article. <div class="center">'''Missing image'''<br />''Chain_Of_Trust.png'' <br />Image:Chain Of Trust.png<br /><br /> </div> In short: The memory limitations in the hidden ROM made the system vulnerable in principle. A terribly wrong design and three bugs in the implementation opened three independent backdoors. == Why a Hidden ROM is Needed == The Xbox is an IBM PC, i.e. it has an x86 CPU. When the machine is turned on, it starts execution 16 bytes from the top of its address space, at the address FFFF_FFF0 (F000:FFF0 in 8086 segment:offset notation). On an IBM PC, the upper 64 KB (or more) of the address space are occupied by the BIOS ROM, so the CPU starts execution in this ROM. The Xbox, having an external (reprogrammable) 1 MB Flash ROM chip (models since 2003 have only 256 KB), would normally start running code there as well, since this megabyte is also mapped into the uppermost area of the address space. But this would make it too easy for someone who wants to either replace the ROM image with a self-written one or patch it to break the chain of trust ("modchips"). If the ROM image could be fully accessed, it would be easy to reverse-engineer the code; encryption and obfuscation would only slow down the hacking process a bit. A common idea to make the code inaccessible is not to put it into an external chip, but integrate it into one of the other chips. Then there is no standard way to extract the data, and none to replace the chip with one with different contents. But this way, it is a lot more expensive, both the design of a chip that includes both ROM and additional logic, and updating the ROM in a new version of the Xbox if there is a flaw in the ROM. A good compromise is to store only a small amount of code in one of the other chips, and store the bulk of it in the external Flash chip. This small ROM can not be extracted easily, and it cannot be changed or replaced. The code in there just has to make sure that an attacker can neither understand nor successfully patch the bulk of the code he has access to, which is stored in Flash ROM. Microsoft decided to go this way, and they stored 512 bytes of code in the Xbox' Southbridge, the MCPX (Media and Communications Processor for Xbox), which is manufactured by nVidia. This code is supposed to be mapped into the uppermost 512 bytes of the address space, overriding the Flash ROM at this position, so that the CPU starts execution there. It includes x86 code for a decryption function with a secret key that makes the CPU decipher (parts of the) "unsafe" code in the Flash ROM into RAM and run it. Without knowing the key, it is practically impossible to understand or even patch the encrypted code in Flash ROM. == The Code in the Hidden ROM == ROM in a multifunction IC is expensive, therefore it has to be small. Microsoft decided it to be only 512 bytes. Microsoft's implementation of the RC4 decryption algorithm fits well in about 150 bytes, so, at first inspection, this should be no problem. === The 512 Bytes problem === But it is. When the CPU starts up, we cannot simply start decrypting data from flash ROM into RAM. We have to * initialize the CPU (32 bit mode, caching, segmenting) * initialize the chipset and RAM so that the machine is in a stable state While the CPU initialization can be done in less than 150 bytes, the initialization of the chipset and RAM, if done completely, will require more than 1000 bytes of assembly code. Even at a minimum, Microsoft probably did not see a way to fit all this into these 512 bytes. Therefore it was decided to store some initialization tables in Flash ROM. The Southbridge was modified to read these tables even before the CPU starts running, and to pass these values to the Northbridge and Southbridge components. These tables are fetched from the very beginning of Flash ROM (FFF0_0000) and are 52 bytes long. But these tables are not enough for full hardware initialization. Tables are just not powerful enough - for memory initialization, memory stability tests have to be made. Putting some x86 code to do this into Flash ROM would pervert the security system, because a hacker could then easily put his own code there. === The Xcodes === Microsoft decided to create a simple virtual machine that was well-suited for running hardware initialization code, but not much else. They created a tiny interpreter that understands 12 statements, but is not supposed to be powerful enough to take over the machine. As it is secure, this bytecode, called Xcode by the hackers that discovered it, can then be stored in Flash ROM. So the hidden ROM initializes the CPU, interprets the Xcodes stored in Flash ROM to set up the machine and then decrypts and runs x86 code from Flash ROM. The Xcodes start at FFF0_0080 (at 128 bytes) in Flash ROM. As the Flash can be easily updated in newer revisions of the Xbox, their size needn't be constant; they are typically about 3000 bytes in size, which is about 330 statements. An Xcode consists of an 8 bit statement, always followed by two 32 bit operands. The virtual machine has a 32 bit accumulator. The following table summarizes possible instructions; all other codes are treated as NOP: {| class="wikitable" |- | 0x02 | PEEK | ACC&nbsp;:= MEM[OP1] |- | 0x03 | POKE | MEM[OP1]&nbsp;:= OP2 |- | 0x04 | POKEPCI | PCICONF[OP1] := OP2 |- | 0x05 | PEEKPCI | ACC&nbsp;:= PCICONF[OP1] |- | 0x06 | AND/OR | ACC&nbsp;:= (ACC &amp; OP1) OP2 |- | 0x07 | (prefix) | execute the instruction code in OP1 with OP1&nbsp;:= OP2, OP2&nbsp;:= ACC |- | 0x08 | BNE | IF ACC = OP1 THEN PC := PC + OP2 |- | 0x09 | BRA | PC&nbsp;:= PC + OP2 |- | 0x10 | AND/OR ACC2 | ''(unused/defunct)'' ACC2&nbsp;:= (ACC2 &amp; OP1) OP2 |- | 0x11 | OUTB | PORT[OP1]&nbsp;:= OP2 |- | 0x12 | INB | ACC&nbsp;:= PORT(OP1) |- | 0xEE | END |} So the interpreter, rewritten in C, looks roughly like this: <pre>struct { char opcode; int op1; int op2; } *p; int acc; p = 0xFFF00080; while(1) { switch(p-&gt;opcode) { case 2: acc = *((int*)p-&gt;op1); break; case 3: *((int*)p-&gt;op1) = p-&gt;op2; break; case 4: outl(p-&gt;op1, 0x0CF8); outl(p-&gt;op2, 0x0CFC); break; case 5: ... case 0xEE: goto end; } p++; } end: </pre> PEEK and POKE read from and write constants to main memory. OUTB and INB do the same with 8 bit I/O ports. (I/O ports are another address space, 16 bit wide, next to the 32 bit memory address space. While most other CPU architectures control hardware by accessing their registers as if they were memory, the Intel architecture can access some older components through specialized in/out assembly instructions.) POKEPCI and PEEKPCI access the PCI configuration area, by sending the PCI config address to 32 bit I/O port 0xCF8 and accessing the value at 32 bit I/O port 0xCFC. (On PCI-equipped computers, every PCI device has at least 64 bytes of PCI config registers. On a PC, the BIOS or a Plug-and-Play operating system communicates through these registers to find out what resources (memory, I/O ports, interrupts) a device needs and then maps these resources. The I/O ports 0xCF8/0xCFC are the communication mechanism for the PCI config space on PCs.) The AND/OR instruction can do a 32 bit AND or OR or both at the same time with the accumulator. BNE branches if the accumulator is equal to a constant, BRA branches always. The prefix 0x07 can be used to execute any of the other statements with the accumulator as the second operand. This way, "POKE addr, ACC", "POKEPCI addr, ACC", "BNE PC+ACC", "BRA PC+ACC" and "OUT addr, ACC" are possible. The code 0x07 is handled by the interpreter, and uses a second accumulator, but this code is never used by the Xcodes. The code 0xEE ends the interpreter and makes the hidden ROM go on with the RC4 decryption. === RC4 decryption, validity check and panic code === After the Xcodes have completed the hardware setup, the machine is in a stable state, so that it is possible to decrypt parts of the Flash ROM directly into RAM and run it there. As mentioned earlier, the RC4 code including the key is about 150 bytes in size. The Xcode interpreter is about 175 bytes, and CPU init about 145 bytes. This leaves only about 40 bytes for a check whether decryption was successful and halt the machine otherwise. This seems not to have been enough space for Microsoft's engineers to implement a small checksum routine, so they only checked for one 32 bit constant (0x7854794A) at the end of the decrypted data in RAM (0x0009_5FE4). If this is successful, the CPU jumps to 0x9_0000 in RAM, where the new code has been written. This code, the "second bootloader" ("2bl") is about 25 KB in size. It continues initializing the hardware and decompresses the kernel from Flash ROM. If the decrypted value is not correct, the CPU is supposed to halt. Simply using the "hlt" opcode would mean that the machine would remain turned on and idle with the hidden ROM visible in the address space. A hacker could then use some hardware attached to the chipset that extracts the data from ROM from a running machine. The designers therefore decided to always turn off the hidden ROM as soon as possible in both branches, when decryption was successful (then it is turned off as one of the first instructions in the "2bl" code), and if it wasn't. But making the CPU crash and turning off the ROM it is running in is a challenge. If we halt the CPU, we cannot turn off the ROM afterwards. If we turn off the ROM, we turn off the code that gets run and we cannot halt the CPU - even worse, the CPU would continue fetching its opcodes from the underlying Flash ROM as soon as the hidden ROM is deactivated. Microsoft's developers came up with a very interesting trick: They led execution to the absolute top of the address space, and as the very last instruction, they turn off the hidden ROM. Then the instruction pointer is supposed to overflow from FFFF_FFFF to 0000_0000 and an exception is supposed to be generated which in turn is supposed to halt the CPU because no exception handler is registered. <div class="center"><img src="https://web.archive.org/web/20100617012156im_/http://www.xbox-linux.org/pic/memorymap.png" alt="memorymap.png" /></div> == Security Issues == This system looks pretty secure. If we don't know what's going on, it is a lot of work to find out that there is a hidden boot ROM (but it's easy to prove because the Xbox still boots if you overwrite the upper 512 bytes of Flash ROM since they never get used). If we don't have access to the boot ROM, we cannot decrypt and thus cannot understand the code in Flash ROM. Because we don't know how to reencrypt, we cannot patch the code in Flash. === The Importance of the Secret Key === But what happens if someone finds out the hidden 512 bytes? [https://web.archive.org/web/20100617012156/http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html Bunnie] did, Christmas 2001. He tapped the bus between the Southbridge (where the secret MCPX code is stored) and the Northbridge (the CPU's memory interface) where all secret data gets transmitted. The compromise to store the secret ROM in the MCPX instead of the CPU, so that data would travel over a bus, finally broke the system. Knowing the algorithm and the secret key, he could easily disassemble the whole code in Flash ROM, and he could have even patched and reencrypted the code - the decryption code won't notice the difference, as the Flash ROM is not hashed: Only a single 32 bit value is checked. Modchip makers, who used similar tricks to get hold of the hidden ROM, used this knowledge to create patched versions of the Flash ROM image and distributed them on boards that, soldered to the Xbox motherboard, overrode the onboard Flash ROM. === Security Measures in the Hidden ROM === So as soon as the encryption algorithm and the key are known, everything is possible? Not quite. In order to create a working Flash ROM image, you have to use Microsoft's secret key, which is considered illegal under certain jurisdictions. So for a completely legal replacement Flash ROM image that takes over the machine to be free to run any homebrew software or alternative operating systems, a complete security analysis had to be made. Since the hidden code depends in some way on external data, stored in Flash ROM, which can be quite easily changed by the user, it may be attackable through certain data stored there. Microsoft understood this danger and added some precautions so that the Xcodes could not be abused - supposedly - in case the secret ROM was known. ==== PEEK ==== The Xcode language is powerful enough to easily read and write memory, the PCI configuration space as well as I/O ports. The user could easily add Xcodes that read the hidden MCPX ROM and send the data to some I/O ports, e.g. the I2C bus. Therefore all memory reads are limited to the lower 256 MB: <pre> and ebx, 0FFFFFFFh &nbsp;; clear upper 4 bits mov edi, [ebx] &nbsp;; read from memory location op1 into di jmp next_instruction </pre> ==== POKEPCI ==== Turning off the hidden ROM is done by the following statements: <pre> mov eax, 80000880h mov dx, 0CF8h out dx, eax add dl, 4 mov al, 2 out dx, al </pre> This code sets bit #1 in the PCI config space, device 0:1:0, register offset 0x80 (coded in 0x80000880). Using the POKEPCI instruction, it would be possible to disable the hidden ROM prematurely, so that the underlying Flash ROM, which is normally overlapped by the secret ROM, would be visible, and CPU would continue running there, where the hacker could simly store his code: <pre> POKEPCI 0x80000880, 2 </pre> Therefore the interpreter always clears bit 1 if the Xcode wants to write to 0x80000880: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> ==== Halt ==== As described earlier, if the hidden ROM detects that decryption was unsuccessful, it halts the CPU and turns off the hidden ROM by turning it off as the very last statement in the CPU's address space, causing an address overflow exception and thus a CPU halt in the very next cycle. This is supposed to make it impossible for a hacker to extract the hidden ROM contents, because the hidden ROM is always turned off very quickly, even if the machine does not boot correctly. <pre> mov eax, ds:95FE4h cmp eax, 7854794Ah jnz short bad_checkcode mov eax, ds:90000h jmp eax &nbsp;; jump to decrypted second bootloader in RAM bad_checkcode: mov eax, 80000880h &nbsp;; prepare MCPX ROM disable mov dx, 0CF8h out dx, eax jmp far ptr 8:0FFFFFFFAh&nbsp;; jump to end of ROM, wraparound [...] FFFA:&nbsp;; this is address FFFFFFFA add dl, 4 mov al, 2 out dx, al ; ------ this is address 00000000 ------ </pre> === Security Flaws in the Hidden ROM === While these three security precautions that have just been described are indeed vital, two of them are faulty. The POKEPCI check is incorrectly implemented, and the somewhat clever "Halt" trick, which was supposed to lock out hardware sniffers, opened a software backdoor. ==== The Visor Trick ==== The roll over of the instruction pointer from FFFF_FFFF to 0000_0000 is supposed to generate an exception. Since no exception handlers are installed, this is supposed to halt the machine. But in reality, no exception is generated. Execution just happily continues at 0000_0000 - in RAM! Apparently the i386 CPU family throws no exception in this case, Microsoft's engineers only assumed it or misread the documentation and never tested it. By adding Xcodes to write a jump to some Flash ROM address, like FFF0_0000, into memory at location 0, and causing the decryption check to fail by just not including the 32 bit check value into the Flash ROM, one's own code will be run right after the RC4 decryption: <pre> POKE 0x00000000, 0x001000B8&nbsp;; store "mov eax, 0xFF001000; jmp eax" POKE 0x00000004, 0x90E0FFFF&nbsp;; at 0x00000000 in memory END &nbsp;; now we can place our code at 0x1000 in Flash </pre> ==== The MIST Trick ==== POKEPCI's check for 0x80000880, the address of the configuration register to turn off the hidden ROM, is incorrect. The Southbridge, which decodes the 32 bit value into "bus", "device", "function" and "register" and sends the funcion and register numbers to the specific device on the specific bus, simply ignores the unused bits of that 32 bit value, so 0x88000880 or 0xF0000880 behave exactly the same as 0x80000880 - but POKEPCI's check does not detect them. So this check even gives the attacker a hint how to circumvent it. By adding the statement POKEPCI 0x88000880, 2 to the Xcodes, the interpreter will turn off the hidden ROM - where it is running itself! As soon as the CPU cache has run empty, execution will continue somewhere between FFFF_FE00 and FFFF_FFFF in Flash ROM. You can simply fill everything with NOPs and add a JMP to your own code at the very top. ==== More Attacks? ==== Since two methods to circumvent the Xbox hidden ROM security without touching any crypto both work equally well, there has been little need for further research, but there might very well be more than two security issues in these 512 bytes. There are two more approaches for attacks that we do not want to disclose yet, as Microsoft may still offer updated Xboxes in the future. == Microsoft's Fixes == In August 2002, Microsoft started manufacturing V1.1 Xboxes, which had been improved in many ways. In concerns of security, the hidden ROM and the MCPX' PCI config behavior had been updated (the MCPX revision is "C3" instead of "B2"): They now squeezed a TEA hash into the 512 bytes, replacing the old 32 bit test. The "2bl" code now couldn't be altered easily. And they changed the RC4 secret key. But although they had the possibility to patch their design, Microsoft again failed to make the Xbox secure this time: * They left both the MIST backdoor and the Visor backdoor wide open. * The TEA hash has been a bad choice. If they had even read Schneier's "Applied Cryptography" (''the'' book on crypto), they would have known that TEA is insecure if used as a hash. This can be easily exploited so that 2bl changes remain undetected, leading to the third bug in the second implementation. It is pretty obvious that the changes had been made in reaction to Bunnie's hack, who retrieved the secret key for the RC4 decryption, and before the Visor or MIST bugs had been found. In May 2004, Microsoft started shipping Xboxes that had the ROM image, the video encoder and the security chip (SMC) integrated into a single package, so that it was no longer possible to overwrite the firmware. The secret ROM in the MCPX was still the same though. But as of November 2005, it is still possible to attach a replacement ROM to the LPC bus ("modchip") of new Xboxes, as the verification weakness is still there. == Microsoft's Strategy == Microsoft's engineers first seem to have thought that the secret key would never be revealed: security by obscurity. This explains why the decrypted code did not get hashed. Once the secret key was known, anyone could decrypt, patch and reencrypt the flash contents. So when the secret key had been extracted, Microsoft understood that it could be done again with another key very easily, so they added a hash function over the decrypted code. If the new secret key was to be found out again, attackers should at least not have had the possibility to change the code. Changing the key introduced no security, but was easy to do and at least required attackers to repeat the ROM extraction process. == Conclusion == The design of the first MCPX was very wrong, and the implementation was catastrophic. The design of the second version was a lot better, but the implementation was not. Without the various security holes (Visor and MIST bugs as well as possibly more) and with a working hash function, the system would have been pretty secure. Encrypting the ROM contents with a secret key, i.e. security by obscurity, simply does not work if the key travels over a bus that can be sniffed. So with the first version of the MCPX, Microsoft was too naive and apparently did not understand basic security concepts. After they had learnt their lesson, they designed a pretty good system with the second version of the MCPX - but the implementation still contained at least three security holes (Visor, MIST, TEA). They were too fast releasing a new version of the MCPX, spending a lot of money in trashing tons of already manufactured MCPX chips and manufacturing updated ones, apparently without any further code audit which should have revealed the security holes. 512 bytes is a very small amount of code (it fits on a single sheet of paper!), compared to the megabytes of code contained in software like Windows, Internet Explorer or Internet Information Server. Three bugs within these 512 bytes compromised the security completely - a bunch of hackers found them within days after first looking at the code. Why hasn't Microsoft Corp. been able to do the same? Why? ==Links== * [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/ The Xbox Linux Project] * [https://web.archive.org/web/20100617012156/http://hackingthexbox.com/ Hacking the Xbox] * [https://web.archive.org/web/20100617012156/http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html bunnie's adventures hacking the Xbox] * [https://web.archive.org/web/20100617012156/http://web.archive.org/web/20021208233956/http://65.108.63.67/visor/ visor's aXventure] 3c1e3c40bc1e25ed8886f3007493989292056392 5579 5577 2017-05-31T08:28:56Z JayFoxRox 2 Trying to use a template wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/wiki/The_Hidden_Boot_Code_of_the_Xbox|ours=MCPX ROM}} or '''"How to fit three bugs in 512 bytes of security code"''' by [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/wiki/User:Michael_Steil Michael Steil] Note: This article is partially incomplete. It is superseded by the more detailed article [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/wiki/The_Hidden_Boot_Code_of_the_Xbox 17 Mistakes Microsoft Made in the Xbox Security System] In order to lock out both copied games as well as homebrew software, including the GNU/Linux operating system, Microsoft built a chain of trust on the Xbox reaching from the hardware to the execution of game code, in order to avoid the infiltration of code that has not been authorized by Microsoft. The link between hardware and software in this chain of trust is the hidden "MCPX" boot ROM. The principles, the implementations and the security vulnerabilities of this 512 bytes ROM will be discussed in this article. <div class="center">'''Missing image'''<br />''Chain_Of_Trust.png'' <br />Image:Chain Of Trust.png<br /><br /> </div> In short: The memory limitations in the hidden ROM made the system vulnerable in principle. A terribly wrong design and three bugs in the implementation opened three independent backdoors. == Why a Hidden ROM is Needed == The Xbox is an IBM PC, i.e. it has an x86 CPU. When the machine is turned on, it starts execution 16 bytes from the top of its address space, at the address FFFF_FFF0 (F000:FFF0 in 8086 segment:offset notation). On an IBM PC, the upper 64 KB (or more) of the address space are occupied by the BIOS ROM, so the CPU starts execution in this ROM. The Xbox, having an external (reprogrammable) 1 MB Flash ROM chip (models since 2003 have only 256 KB), would normally start running code there as well, since this megabyte is also mapped into the uppermost area of the address space. But this would make it too easy for someone who wants to either replace the ROM image with a self-written one or patch it to break the chain of trust ("modchips"). If the ROM image could be fully accessed, it would be easy to reverse-engineer the code; encryption and obfuscation would only slow down the hacking process a bit. A common idea to make the code inaccessible is not to put it into an external chip, but integrate it into one of the other chips. Then there is no standard way to extract the data, and none to replace the chip with one with different contents. But this way, it is a lot more expensive, both the design of a chip that includes both ROM and additional logic, and updating the ROM in a new version of the Xbox if there is a flaw in the ROM. A good compromise is to store only a small amount of code in one of the other chips, and store the bulk of it in the external Flash chip. This small ROM can not be extracted easily, and it cannot be changed or replaced. The code in there just has to make sure that an attacker can neither understand nor successfully patch the bulk of the code he has access to, which is stored in Flash ROM. Microsoft decided to go this way, and they stored 512 bytes of code in the Xbox' Southbridge, the MCPX (Media and Communications Processor for Xbox), which is manufactured by nVidia. This code is supposed to be mapped into the uppermost 512 bytes of the address space, overriding the Flash ROM at this position, so that the CPU starts execution there. It includes x86 code for a decryption function with a secret key that makes the CPU decipher (parts of the) "unsafe" code in the Flash ROM into RAM and run it. Without knowing the key, it is practically impossible to understand or even patch the encrypted code in Flash ROM. == The Code in the Hidden ROM == ROM in a multifunction IC is expensive, therefore it has to be small. Microsoft decided it to be only 512 bytes. Microsoft's implementation of the RC4 decryption algorithm fits well in about 150 bytes, so, at first inspection, this should be no problem. === The 512 Bytes problem === But it is. When the CPU starts up, we cannot simply start decrypting data from flash ROM into RAM. We have to * initialize the CPU (32 bit mode, caching, segmenting) * initialize the chipset and RAM so that the machine is in a stable state While the CPU initialization can be done in less than 150 bytes, the initialization of the chipset and RAM, if done completely, will require more than 1000 bytes of assembly code. Even at a minimum, Microsoft probably did not see a way to fit all this into these 512 bytes. Therefore it was decided to store some initialization tables in Flash ROM. The Southbridge was modified to read these tables even before the CPU starts running, and to pass these values to the Northbridge and Southbridge components. These tables are fetched from the very beginning of Flash ROM (FFF0_0000) and are 52 bytes long. But these tables are not enough for full hardware initialization. Tables are just not powerful enough - for memory initialization, memory stability tests have to be made. Putting some x86 code to do this into Flash ROM would pervert the security system, because a hacker could then easily put his own code there. === The Xcodes === Microsoft decided to create a simple virtual machine that was well-suited for running hardware initialization code, but not much else. They created a tiny interpreter that understands 12 statements, but is not supposed to be powerful enough to take over the machine. As it is secure, this bytecode, called Xcode by the hackers that discovered it, can then be stored in Flash ROM. So the hidden ROM initializes the CPU, interprets the Xcodes stored in Flash ROM to set up the machine and then decrypts and runs x86 code from Flash ROM. The Xcodes start at FFF0_0080 (at 128 bytes) in Flash ROM. As the Flash can be easily updated in newer revisions of the Xbox, their size needn't be constant; they are typically about 3000 bytes in size, which is about 330 statements. An Xcode consists of an 8 bit statement, always followed by two 32 bit operands. The virtual machine has a 32 bit accumulator. The following table summarizes possible instructions; all other codes are treated as NOP: {| class="wikitable" |- | 0x02 | PEEK | ACC&nbsp;:= MEM[OP1] |- | 0x03 | POKE | MEM[OP1]&nbsp;:= OP2 |- | 0x04 | POKEPCI | PCICONF[OP1] := OP2 |- | 0x05 | PEEKPCI | ACC&nbsp;:= PCICONF[OP1] |- | 0x06 | AND/OR | ACC&nbsp;:= (ACC &amp; OP1) OP2 |- | 0x07 | (prefix) | execute the instruction code in OP1 with OP1&nbsp;:= OP2, OP2&nbsp;:= ACC |- | 0x08 | BNE | IF ACC = OP1 THEN PC := PC + OP2 |- | 0x09 | BRA | PC&nbsp;:= PC + OP2 |- | 0x10 | AND/OR ACC2 | ''(unused/defunct)'' ACC2&nbsp;:= (ACC2 &amp; OP1) OP2 |- | 0x11 | OUTB | PORT[OP1]&nbsp;:= OP2 |- | 0x12 | INB | ACC&nbsp;:= PORT(OP1) |- | 0xEE | END |} So the interpreter, rewritten in C, looks roughly like this: <pre>struct { char opcode; int op1; int op2; } *p; int acc; p = 0xFFF00080; while(1) { switch(p-&gt;opcode) { case 2: acc = *((int*)p-&gt;op1); break; case 3: *((int*)p-&gt;op1) = p-&gt;op2; break; case 4: outl(p-&gt;op1, 0x0CF8); outl(p-&gt;op2, 0x0CFC); break; case 5: ... case 0xEE: goto end; } p++; } end: </pre> PEEK and POKE read from and write constants to main memory. OUTB and INB do the same with 8 bit I/O ports. (I/O ports are another address space, 16 bit wide, next to the 32 bit memory address space. While most other CPU architectures control hardware by accessing their registers as if they were memory, the Intel architecture can access some older components through specialized in/out assembly instructions.) POKEPCI and PEEKPCI access the PCI configuration area, by sending the PCI config address to 32 bit I/O port 0xCF8 and accessing the value at 32 bit I/O port 0xCFC. (On PCI-equipped computers, every PCI device has at least 64 bytes of PCI config registers. On a PC, the BIOS or a Plug-and-Play operating system communicates through these registers to find out what resources (memory, I/O ports, interrupts) a device needs and then maps these resources. The I/O ports 0xCF8/0xCFC are the communication mechanism for the PCI config space on PCs.) The AND/OR instruction can do a 32 bit AND or OR or both at the same time with the accumulator. BNE branches if the accumulator is equal to a constant, BRA branches always. The prefix 0x07 can be used to execute any of the other statements with the accumulator as the second operand. This way, "POKE addr, ACC", "POKEPCI addr, ACC", "BNE PC+ACC", "BRA PC+ACC" and "OUT addr, ACC" are possible. The code 0x07 is handled by the interpreter, and uses a second accumulator, but this code is never used by the Xcodes. The code 0xEE ends the interpreter and makes the hidden ROM go on with the RC4 decryption. === RC4 decryption, validity check and panic code === After the Xcodes have completed the hardware setup, the machine is in a stable state, so that it is possible to decrypt parts of the Flash ROM directly into RAM and run it there. As mentioned earlier, the RC4 code including the key is about 150 bytes in size. The Xcode interpreter is about 175 bytes, and CPU init about 145 bytes. This leaves only about 40 bytes for a check whether decryption was successful and halt the machine otherwise. This seems not to have been enough space for Microsoft's engineers to implement a small checksum routine, so they only checked for one 32 bit constant (0x7854794A) at the end of the decrypted data in RAM (0x0009_5FE4). If this is successful, the CPU jumps to 0x9_0000 in RAM, where the new code has been written. This code, the "second bootloader" ("2bl") is about 25 KB in size. It continues initializing the hardware and decompresses the kernel from Flash ROM. If the decrypted value is not correct, the CPU is supposed to halt. Simply using the "hlt" opcode would mean that the machine would remain turned on and idle with the hidden ROM visible in the address space. A hacker could then use some hardware attached to the chipset that extracts the data from ROM from a running machine. The designers therefore decided to always turn off the hidden ROM as soon as possible in both branches, when decryption was successful (then it is turned off as one of the first instructions in the "2bl" code), and if it wasn't. But making the CPU crash and turning off the ROM it is running in is a challenge. If we halt the CPU, we cannot turn off the ROM afterwards. If we turn off the ROM, we turn off the code that gets run and we cannot halt the CPU - even worse, the CPU would continue fetching its opcodes from the underlying Flash ROM as soon as the hidden ROM is deactivated. Microsoft's developers came up with a very interesting trick: They led execution to the absolute top of the address space, and as the very last instruction, they turn off the hidden ROM. Then the instruction pointer is supposed to overflow from FFFF_FFFF to 0000_0000 and an exception is supposed to be generated which in turn is supposed to halt the CPU because no exception handler is registered. <div class="center"><img src="https://web.archive.org/web/20100617012156im_/http://www.xbox-linux.org/pic/memorymap.png" alt="memorymap.png" /></div> == Security Issues == This system looks pretty secure. If we don't know what's going on, it is a lot of work to find out that there is a hidden boot ROM (but it's easy to prove because the Xbox still boots if you overwrite the upper 512 bytes of Flash ROM since they never get used). If we don't have access to the boot ROM, we cannot decrypt and thus cannot understand the code in Flash ROM. Because we don't know how to reencrypt, we cannot patch the code in Flash. === The Importance of the Secret Key === But what happens if someone finds out the hidden 512 bytes? [https://web.archive.org/web/20100617012156/http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html Bunnie] did, Christmas 2001. He tapped the bus between the Southbridge (where the secret MCPX code is stored) and the Northbridge (the CPU's memory interface) where all secret data gets transmitted. The compromise to store the secret ROM in the MCPX instead of the CPU, so that data would travel over a bus, finally broke the system. Knowing the algorithm and the secret key, he could easily disassemble the whole code in Flash ROM, and he could have even patched and reencrypted the code - the decryption code won't notice the difference, as the Flash ROM is not hashed: Only a single 32 bit value is checked. Modchip makers, who used similar tricks to get hold of the hidden ROM, used this knowledge to create patched versions of the Flash ROM image and distributed them on boards that, soldered to the Xbox motherboard, overrode the onboard Flash ROM. === Security Measures in the Hidden ROM === So as soon as the encryption algorithm and the key are known, everything is possible? Not quite. In order to create a working Flash ROM image, you have to use Microsoft's secret key, which is considered illegal under certain jurisdictions. So for a completely legal replacement Flash ROM image that takes over the machine to be free to run any homebrew software or alternative operating systems, a complete security analysis had to be made. Since the hidden code depends in some way on external data, stored in Flash ROM, which can be quite easily changed by the user, it may be attackable through certain data stored there. Microsoft understood this danger and added some precautions so that the Xcodes could not be abused - supposedly - in case the secret ROM was known. ==== PEEK ==== The Xcode language is powerful enough to easily read and write memory, the PCI configuration space as well as I/O ports. The user could easily add Xcodes that read the hidden MCPX ROM and send the data to some I/O ports, e.g. the I2C bus. Therefore all memory reads are limited to the lower 256 MB: <pre> and ebx, 0FFFFFFFh &nbsp;; clear upper 4 bits mov edi, [ebx] &nbsp;; read from memory location op1 into di jmp next_instruction </pre> ==== POKEPCI ==== Turning off the hidden ROM is done by the following statements: <pre> mov eax, 80000880h mov dx, 0CF8h out dx, eax add dl, 4 mov al, 2 out dx, al </pre> This code sets bit #1 in the PCI config space, device 0:1:0, register offset 0x80 (coded in 0x80000880). Using the POKEPCI instruction, it would be possible to disable the hidden ROM prematurely, so that the underlying Flash ROM, which is normally overlapped by the secret ROM, would be visible, and CPU would continue running there, where the hacker could simly store his code: <pre> POKEPCI 0x80000880, 2 </pre> Therefore the interpreter always clears bit 1 if the Xcode wants to write to 0x80000880: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> ==== Halt ==== As described earlier, if the hidden ROM detects that decryption was unsuccessful, it halts the CPU and turns off the hidden ROM by turning it off as the very last statement in the CPU's address space, causing an address overflow exception and thus a CPU halt in the very next cycle. This is supposed to make it impossible for a hacker to extract the hidden ROM contents, because the hidden ROM is always turned off very quickly, even if the machine does not boot correctly. <pre> mov eax, ds:95FE4h cmp eax, 7854794Ah jnz short bad_checkcode mov eax, ds:90000h jmp eax &nbsp;; jump to decrypted second bootloader in RAM bad_checkcode: mov eax, 80000880h &nbsp;; prepare MCPX ROM disable mov dx, 0CF8h out dx, eax jmp far ptr 8:0FFFFFFFAh&nbsp;; jump to end of ROM, wraparound [...] FFFA:&nbsp;; this is address FFFFFFFA add dl, 4 mov al, 2 out dx, al ; ------ this is address 00000000 ------ </pre> === Security Flaws in the Hidden ROM === While these three security precautions that have just been described are indeed vital, two of them are faulty. The POKEPCI check is incorrectly implemented, and the somewhat clever "Halt" trick, which was supposed to lock out hardware sniffers, opened a software backdoor. ==== The Visor Trick ==== The roll over of the instruction pointer from FFFF_FFFF to 0000_0000 is supposed to generate an exception. Since no exception handlers are installed, this is supposed to halt the machine. But in reality, no exception is generated. Execution just happily continues at 0000_0000 - in RAM! Apparently the i386 CPU family throws no exception in this case, Microsoft's engineers only assumed it or misread the documentation and never tested it. By adding Xcodes to write a jump to some Flash ROM address, like FFF0_0000, into memory at location 0, and causing the decryption check to fail by just not including the 32 bit check value into the Flash ROM, one's own code will be run right after the RC4 decryption: <pre> POKE 0x00000000, 0x001000B8&nbsp;; store "mov eax, 0xFF001000; jmp eax" POKE 0x00000004, 0x90E0FFFF&nbsp;; at 0x00000000 in memory END &nbsp;; now we can place our code at 0x1000 in Flash </pre> ==== The MIST Trick ==== POKEPCI's check for 0x80000880, the address of the configuration register to turn off the hidden ROM, is incorrect. The Southbridge, which decodes the 32 bit value into "bus", "device", "function" and "register" and sends the funcion and register numbers to the specific device on the specific bus, simply ignores the unused bits of that 32 bit value, so 0x88000880 or 0xF0000880 behave exactly the same as 0x80000880 - but POKEPCI's check does not detect them. So this check even gives the attacker a hint how to circumvent it. By adding the statement POKEPCI 0x88000880, 2 to the Xcodes, the interpreter will turn off the hidden ROM - where it is running itself! As soon as the CPU cache has run empty, execution will continue somewhere between FFFF_FE00 and FFFF_FFFF in Flash ROM. You can simply fill everything with NOPs and add a JMP to your own code at the very top. ==== More Attacks? ==== Since two methods to circumvent the Xbox hidden ROM security without touching any crypto both work equally well, there has been little need for further research, but there might very well be more than two security issues in these 512 bytes. There are two more approaches for attacks that we do not want to disclose yet, as Microsoft may still offer updated Xboxes in the future. == Microsoft's Fixes == In August 2002, Microsoft started manufacturing V1.1 Xboxes, which had been improved in many ways. In concerns of security, the hidden ROM and the MCPX' PCI config behavior had been updated (the MCPX revision is "C3" instead of "B2"): They now squeezed a TEA hash into the 512 bytes, replacing the old 32 bit test. The "2bl" code now couldn't be altered easily. And they changed the RC4 secret key. But although they had the possibility to patch their design, Microsoft again failed to make the Xbox secure this time: * They left both the MIST backdoor and the Visor backdoor wide open. * The TEA hash has been a bad choice. If they had even read Schneier's "Applied Cryptography" (''the'' book on crypto), they would have known that TEA is insecure if used as a hash. This can be easily exploited so that 2bl changes remain undetected, leading to the third bug in the second implementation. It is pretty obvious that the changes had been made in reaction to Bunnie's hack, who retrieved the secret key for the RC4 decryption, and before the Visor or MIST bugs had been found. In May 2004, Microsoft started shipping Xboxes that had the ROM image, the video encoder and the security chip (SMC) integrated into a single package, so that it was no longer possible to overwrite the firmware. The secret ROM in the MCPX was still the same though. But as of November 2005, it is still possible to attach a replacement ROM to the LPC bus ("modchip") of new Xboxes, as the verification weakness is still there. == Microsoft's Strategy == Microsoft's engineers first seem to have thought that the secret key would never be revealed: security by obscurity. This explains why the decrypted code did not get hashed. Once the secret key was known, anyone could decrypt, patch and reencrypt the flash contents. So when the secret key had been extracted, Microsoft understood that it could be done again with another key very easily, so they added a hash function over the decrypted code. If the new secret key was to be found out again, attackers should at least not have had the possibility to change the code. Changing the key introduced no security, but was easy to do and at least required attackers to repeat the ROM extraction process. == Conclusion == The design of the first MCPX was very wrong, and the implementation was catastrophic. The design of the second version was a lot better, but the implementation was not. Without the various security holes (Visor and MIST bugs as well as possibly more) and with a working hash function, the system would have been pretty secure. Encrypting the ROM contents with a secret key, i.e. security by obscurity, simply does not work if the key travels over a bus that can be sniffed. So with the first version of the MCPX, Microsoft was too naive and apparently did not understand basic security concepts. After they had learnt their lesson, they designed a pretty good system with the second version of the MCPX - but the implementation still contained at least three security holes (Visor, MIST, TEA). They were too fast releasing a new version of the MCPX, spending a lot of money in trashing tons of already manufactured MCPX chips and manufacturing updated ones, apparently without any further code audit which should have revealed the security holes. 512 bytes is a very small amount of code (it fits on a single sheet of paper!), compared to the megabytes of code contained in software like Windows, Internet Explorer or Internet Information Server. Three bugs within these 512 bytes compromised the security completely - a bunch of hackers found them within days after first looking at the code. Why hasn't Microsoft Corp. been able to do the same? Why? ==Links== * [https://web.archive.org/web/20100617012156/http://www.xbox-linux.org/ The Xbox Linux Project] * [https://web.archive.org/web/20100617012156/http://hackingthexbox.com/ Hacking the Xbox] * [https://web.archive.org/web/20100617012156/http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html bunnie's adventures hacking the Xbox] * [https://web.archive.org/web/20100617012156/http://web.archive.org/web/20021208233956/http://65.108.63.67/visor/ visor's aXventure] 4c4a6d869ccdb0f72e90d0d1f93a1949af379342 0 3774 5578 2017-05-31T08:26:55Z Espes 2484 Created page with "Retrieved from [https://web.archive.org/web/20100617021545/http://www.xbox-linux.org/wiki/Xbox_Savegame_System] The Xbox savegame management system is a simple organization..." wikitext text/x-wiki Retrieved from [https://web.archive.org/web/20100617021545/http://www.xbox-linux.org/wiki/Xbox_Savegame_System] The Xbox savegame management system is a simple organizational system that allows users to manage their saved games, downloaded contents from Xbox LIVE, and copy savegames to memory units. ==Overview== The Xbox savegame system uses folders and metadata to organize savegames according to its game, type, and name (in that order). All game-generated data are stored in either E:\UDATA or E:\TDATA. The UDATA folder is generally used to store gamesaves (user data), and the TDATA folder is generally used to store LIVE contents and other configurations (such as downloaded levels, high-score tables, game updates, and other miscellaneous configurations). These are the universal elements of gamesaves: * A title meta (universal) * A title image (universal) * A save title * A save image Saves are nested individually inside the game's folder, which are nested inside the game-data folders (UDATA and TDATA). Every XBE that had ever run will have a folder for itself in both of the game-data folders (however, the Xbox Dashboard is a special case). ==Structure Layout== Here's a typical layout of a the savegame folders, shown with Splinter Cell and Xbox Dashboard Music. <pre>+-E: +-TDATA | +-5553000c | | +-audiovideo.par | | +-contentimage.xbx | +-fffe0000 | +-music | +-ST.DB +-UDATA +-5553000c +-8E6AA806E588 | +-GMMAN_Profile.sg1 | +-GMMAN_Profile.sg2 | +-GMMAN_Profile.sg3 | +-Profile.inf | +-SaveMeta.xbx +-SaveImage.xbx +-TitleImage.xbx +-TitleMeta.xbx</pre> As you can see, in the top level there are two folders, TDATA and UDATA. Under each of those folders are folders named according to the game's ID (for example, Splinter Cell's ID is 5553000c). They are in both TDATA and UDATA folders. ===UDATA Folder=== The UDATA folder is generally used to store user content, such as save games, settings, and user-created customizations. Under this folder are folders for each individual game, named by their ID number. Under every game folder, there are two files: TitleImage.xbx and TitleMeta.xbx. ====TitleImage.xbx==== TitleImage.xbx is a 128*128px Xbox texture, used for displaying the game's logo at the left of the game's section in the Memory browser. If this file is missing or corrupted, a generic Xbox logo will be displayed in its place. ====TitleMeta.xbx==== TitleMeta.xbx is a text file for indicating what title of the game would be displayed in the Memory browser. The title is taken from the embedded title of the executable that created the game folder (ie. if you run Splinter Cell's default.xbe first, the title will be "Splinter Cell". If you run its downloader.xbe (same game ID), the title will be "Downloader"). If this file is missing or corrupted, the game's title will be displayed as "Unknown Title". The structure for TitleMeta.xbx is: <pre> TitleName=Game Name</pre> In the case of Splinter Cell, it is <code>TitleName=Splinter Cell</code>. =====Localization===== The TitleMeta.xbx file may contain localization: <pre> [default] TitleName=Network Configurations [EN] TitleName=Network Configurations [JA] TitleName=ネットワーク設定データ [DE] TitleName=Daten für Netzwerkeinstellungen [FR] TitleName=Données des paramètres réseau [ES] TitleName=Datos de configuración de red [IT] TitleName=Dati impostazioni di rete [KO] TitleName=네트워크 설정 데이터 [TW] TitleName=網路設定資料 [BR] TitleName=Dados de Configurações da Rede</pre> There is a separate TitleName entry listed under each of the languages. The entry under <code>[default]</code> will be used if a localized game title cannot be found in this file for the current system language. ===Gamesaves=== Each individual gamesave or game profile is under the game's folder in the UDATA folder. Each save or profile has its own folder. The name of the folders differs from game to game, as there is not set format for the name of a save folder. Ie. one game may choose to name its save folder as "001aecf7", another game may name the save folder as "Profile01". There is always a SaveMeta.xbx file under the folder, and there may also be a SaveImage.xbx file there. Each save folder may contain whatever data that is needed for a valid save. ====SaveMeta.xbx==== SaveMeta.xbx is very similar to TitleMeta.xbx. This defines the name of a save and is displayed on the left side of the screen when the save is selected. If this file is missing or corrupted, the gamesave's name will be displayed as "Corrupted Save". Its format is as the following: <pre> Name=Save Name</pre> In the case of a Splinter Cell game save, it is something like <code>Name=GMMAN_Profile</code>. ====SaveImage.xbx==== SaveImage.xbx is a 64*64px Xbox texture, used to represent an individual save folder. It'll be located in the game's folder under the UDATA folder if all of the saves use the same image (to avoid unnecessary duplication), or under each individual save folder, if there are different kinds of saves located in each folder. The gamesave folder's SaveImage.xbx has precedence over the game folder's SaveImage.xbx. If this file is missing or corrupted, a generic Xbox logo will be in its place. Universal save image: <pre> +-UDATA +-5553000c +-SaveImage.xbx</pre> Individual save image: <pre> +-UDATA +-4d530013 +-129E1A3F1B2A +-SaveImage.xbx</pre> ===TDATA Folder=== The TDATA folder is similar in structure to the UDATA folder. However, it is used to store Xbox LIVE contents, game configurations, and other miscellaneous data. With the TDATA game folders, there is no specific structure, so games may store whatever file it needs wherever inside its game folder. ====contentimage.xbx==== Contentimage.xbx is used in the same way as SaveImage.xbx, except that it is used specifically to indicate downloaded contents. ==Special Case of Xbox Dashboard== The Xbox Dashboard does not abide by these structures. For one, it doesn't have a UDATA folder, and in the TDATA folder it doesn't have any .xbx files. However, in its TDATA folder (E:\TDATA\fffe0000), there is a folder named <code>music</code>. Inside it is a file named <code>ST.DB</code> and several folders with hexadecimal names. This is where soundtracks are stored. If you go into the LIVE Dash's "Test Connections" screen and press the Black button, a folder that follows the structure will be created under the game folder fffe0000 under the UDATA folder. This contains diagnostic information about the connection to Xbox LIVE. ==Other Occurrences in the UDATA and TDATA Folders== * Under the Dashboard's TDATA game folder, a blank file named &lt;code&gt;NoisyCamera&lt;/code&gt; may be present. This is a marker for an Easter egg on the main menu of the Dashboard. Toggle it the same way as the full-screen visualization egg. * Under the UDATA folder, there may be a file named &lt;code&gt;NICKNAME.XBN&lt;/code&gt;. This stores the Xbox's nickname for online games. ==Application to Xbox-Linux== One way the Xbox-Linux project can take advantage of the gamesave system is by having a all Xbox-Linux distributions reside inside an Xbox-Linux game folder. Each individual distribution would be a "gamesave." For example, suppose that the Xbox-Linux project uses the game ID <code>ffffff00</code> and that we're using Xebian as the distro. Here would be the layout of the files following the gamesave structure: <pre>+-E: +-TDATA | +-ffffff00 | +-linuxboot.cfg +-UDATA +-ffffff00 +-debian | +-initrd | +-rootfs | +-SaveImage.xbx | +-SaveMeta.xbx | +-swap | +-vmlinuz +-TitleImage.xbx +-TitleMeta.xbx</pre> Xromwell would search the gamesave directories for linuxboot.cfg and have a special method of handling of a special tag for the gamesave system, so that the following would point to the Xebian files in the UDATA structure: <pre>title Xebian kernel&nbsp;!gs/debian/vmlinuz initrd&nbsp;!gs/debian/initrd append init=/linuxrc root=/dev/ram0 kbd-reset xbox=fatx_e:/UDATA/ffffff00/debian ramdisk_blocksize=4096 xboxfb y</pre> Contents of SaveMeta.xbx: <pre> Name=Xebian</pre> Contents of TitleMeta.xbx: <pre> TitleName=Xbox-Linux</pre> SaveImage.xbx would show the Debian logo, and TitleImage.xbx would show Tux. With this arrangement, it would be easy to uninstall or copy Xbox-Linux distributions simply by selecting its icon in the Memory browser. To completely get rid of Xbox-Linux distributions, just select the Tux icon. Distribution on a specially formatted USB drive would also be possible: create a pre-installed Linux image with a FATX filesystem, and then <code>dd</code> it onto the flash drive. 709a3e8645c05a05a789d8408397c1ddc9e96d2b 0 3775 5580 2017-05-31T08:35:31Z Espes 2484 Created page with "Retrieved from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process] by ''Michael Steil'' There are many different Xboxes...." wikitext text/x-wiki Retrieved from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process] by ''Michael Steil'' There are many different Xboxes. Although they all look the same (except for the "Special Edition"), and all of them work with all games, they have been produced in three different factories and may contain different components. This article describes the "reverse-engineered" internals of Xbox manufacturing. ==The Serial Number== Every Xbox has a sticker on the bottom that looks like this: <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/serial-sticker.jpg" alt="serial-sticker.jpg" /> It contains the manufacturing date and the 12-digit serial number: <pre>1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> <br /> Three factories have produced the Xbox. Mexico (Guadalajara) is "02", Hungary (S�rv�r) is "03" and China (Doumen) is "05". So this Xbox has been manufactured in week #9, 2002 in line 1 of the factory in Hungary, and it was number 166,356 of this week. ==Factories== {| class="wikitable" |- | '''Date''' | '''Mexico''' | '''Hungary''' | '''China''' |- | 10/2001 | Production of 110V 1.0 Xboxes with Thomson drives is started for the USA/Canada market. | Production of 110V 1.0 Xboxes with Thomson drives is started for the USA/Canada market. |- | 01/2002 | Production gets extended for Japan. | Complete switch to 220V European/Australian models. |- | 04/2002 | Production lines #1 and #6 get closed and get moved to China. The other four lines continue production. The first Xboxes with Philips DVD drives are made, now 50% of all Mexican devices have Philips, and 50% have Thomson. | |- | 05/2002 | | Production stops after only less than 9 months, and after about 3 Million Xboxes. All four production lines get moved to China. |- | 08/2002 | | | Production of the 220V 1.1 Xbox for Europe and Australia only begins, with mostly Philips and sometimes Thomson DVD drives. |- | 09/2002 | | | First Samsung DVD drives. Most Xboxes now contain Samsung devices, a few contain Philips ones, and very few still contain Thomson ones. |- | 10/2002 | Switch the remaining four lines to version 1.1. | | |- | 11/2002 | | | Production gets extended by 110V USA/Canada/Japan models. |- | 12/2002 | Production ends after 14 months, and after nearly 7 Million Xboxes. | | First line changes to version 1.2 |- | 02/2003 | | | Last line changes to version 1.2 |- | 03/2003 | | | First line changes to version 1.3 |- | 04/2003 | | | Last line changes to version 1.3 |- | 07/2003 | | | First line changes to version 1.4 |- | 08/2003 | | | First line changes to version 1.5 |} Look at the <a href="/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Versions_HOWTO" title="Xbox Versions HOWTO">Xbox Versions HOWTO</a> for details on when which Chinese line switched to a new version. ==Manufacturing Process== (Please note that a lot of this information has been concluded from implicit information, it may contain errors.) When a computer such as the Xbox is manufactured, three very different tasks have to be done: * assemble the hardware * copy the software on the hardware * test the device The most interesting part about this is when the software is copied, and when and how the device is tested, because there is a lot of room for optimization. Not counting the firmware of independent components such as the HD, the DVD and the SMC, the Xbox contains three pieces of software: * The Xbox kernel in Flash ROM * The hard disk contents (and hard disk key) * The EEPROM contents It depends on the device whether it is more convenient to program it before putting it into the Xbox or doing in-system-programming. ===Putting the System together=== The Flash ROM chips gets programmed externally with the final Xbox kernel and then gets soldered onto the Xbox motherboard. The EEPROM is empty when it gets soldered onto it. So is the hard disk when it gets connected. ===The Installation CD=== So when the Xbox is complete, but the EEPROM and the hard disk are still empty and the hard disk is not locked yet, an optical media gets inserted into the DVD drive (this needn't be an Xbox DVD), which contains a properly retail-signed default.xbe built with the XDK that has the allow eject flag set and has the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from CD, which does the following: * format the three swap partitions * copy XMTAXBOX.XBE from CD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. ===XMTAXBOX.XBE=== This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: * retrieve the EEPROM contents from a network server * retrieve the contents of the system and data partitions from a network server * lock the hard disk * make some self tests and send the report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/repairdvd.jpg" alt="repairdvd.jpg" /> <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/xboxqc.jpg" alt="xboxqc.jpg" /> [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-01/articles/16-01_26.asp] == Further Reading == * [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process_Pictures Xbox Manufacturing Process Pictures] * [https://web.archive.org/web/20100617013616/http://www.ifm.eng.cam.ac.uk/ctm/idm/cases/xbox.html] Innovation and Design Management case study * O'Brien, J. [https://web.archive.org/web/20100617013616/http://www.wired.com/wired/archive/9.11/flex_pr.html The making of the Xbox], Wired, Issue 9.11, November 2001 * Shah, J. and Serant, C. [https://web.archive.org/web/20100617013616/http://www.ebnonline.com/story/OEG20020311S0076 Microsoft's Xbox sets supply chain standard], EBN Online, 11 March 2002 * Olavsrud, T. [https://web.archive.org/web/20100617013616/http://www.internetnews.com/bus-news/article.php/1129171 Flextronics relocates Xbox manufacturing facility], Internetnews.com, 15 May 2002 * Penz, B. [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-06/articles/16-06_27.asp Game Over? Xbox production heads east], Business Hungary, Vol 16 No 6, June 2002 * Carbone, J. [https://web.archive.org/web/20100617013616/http://manufacturing.net/pur/article/CA237778?stt=001&amp;pubdate=08%2F15%2F02 Outsourcing the Xbox], Purchasing Magazine Online, 15 August 2002 * Neilley, R: [https://web.archive.org/web/20100617013616/http://www.immnet.com/articles?article=1763 Molding is big man on this campus] 9c65b7f4c30050762780fcaa8c192baa58b0c535 10 3776 5581 2017-05-31T08:36:46Z JayFoxRox 2 Created page with "'''This article has been retrieved from [{{{1|{{FIXME}}}}}].''' We might have a similar article. [[{{ours}}]] <!-- would be nice to have https://en.wikipedia.org/wiki/Help:Con..." wikitext text/x-wiki '''This article has been retrieved from [{{{1|{{FIXME}}}}}].''' We might have a similar article. [[{{ours}}]] <!-- would be nice to have https://en.wikipedia.org/wiki/Help:Conditional_expressions --> ec2df75a27fb7cd8d195dc5b3d48387d0e4b3953 5582 5581 2017-05-31T08:37:21Z JayFoxRox 2 wikitext text/x-wiki '''This article has been retrieved from [{{{1|{{FIXME}}}}}].''' We might have a similar article. [[{{{ours}}}]] <!-- would be nice to have https://en.wikipedia.org/wiki/Help:Conditional_expressions --> b83107c25aff6466b0a81f3379d646a7c3e17f93 5583 5582 2017-05-31T08:37:45Z JayFoxRox 2 wikitext text/x-wiki '''This article has been retrieved from [{{{1|{{FIXME}}}}}].''' We might have a similar article. [[{{{ours|}}}]] <!-- would be nice to have https://en.wikipedia.org/wiki/Help:Conditional_expressions --> f84edab41c31ad994f9c99a113f29354cb13551c 5584 5583 2017-05-31T08:38:40Z JayFoxRox 2 wikitext text/x-wiki '''This article has been retrieved from [{{{1|{{FIXME}}}}}].''' We might have a similar article. [[{{{ours|}}}]] <!-- would be nice to have https://en.wikipedia.org/wiki/Help:Conditional_expressions --> ---- e4c322d31f024dbe26924b552224e3be8af91eb8 0 3763 5586 5537 2017-05-31T08:44:00Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Technical_Details|ours=Hard Drive}} by Michael Steil (original version: 1 May 2002, updated 26 September 2002) == Seagate (10 GB) == === Harddisk information as reported by hdparm -i === <pre>Model=ST310211A, FwRev=6.55, SerialNo=6DB2WQW2 Config={ HardSect NotMFM HdSw&gt;15uSec Fixed DTR&gt;10Mbs RotSpdTol&gt;.5% } RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=0 BuffType=unknown, BuffSize=512kB, MaxMultSect=16, MultSect=16 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=19541088 IORDY=on/off, tPIO={min:240,w/IORDY:120}, tDMA={min:120,rec:120} PIO modes: pio0 pio1 pio2 pio3 pio4 DMA modes: mdma0 mdma1 mdma2 udma0 udma1 *udma2 AdvancedPM=no WriteCache=enabled Drive Supports : Reserved : ATA-1 ATA-2 ATA-3 ATA-4 </pre> === Detailed information as reported by hdparm -I === <pre>non-removable ATA device, with non-removable media Model Number: ST310211A Serial Number: 6DB2WQW2 Firmware Revision: 6.55 Standards: Supported: 1 2 3 4 Likely used: 5 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 bytes/track: 0 (obsolete) bytes/sector: 0 (obsolete) current sector capacity: 16514064 LBA user addressable sectors = 19541088 Capabilities: LBA, IORDY(can be disabled) Buffer size: 512.0kB Queue depth: 1 Standby timer values: spec'd by standard r/w multiple sector transfer: Max = 16 Current = 16 DMA: mdma0 mdma1 mdma2 udma0 udma1 *udma2 udma3 udma4 udma5 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=240ns IORDY flow control=120ns Commands/features: Enabled Supported: * READ BUFFER cmd * WRITE BUFFER cmd * Host Protected Area feature set * look-ahead * write cache * Power Management feature set * Security Mode feature set SMART feature set SET MAX security extension * DOWNLOAD MICROCODE cmd Security: supported enabled not locked not frozen not expired: security count not supported: enhanced erase Security level high HW reset results: CBLID- below Vih Device num = 1 Checksum: correct </pre> === Hard disk performance measured by hdparm -t === <pre>Timing buffered disk reads: 64 MB in 3.51 seconds = 18.23 MB/sec Timing buffer-cache reads: 128 MB in 0.85 seconds =150.59 MB/sec </pre> == Western Digital (8 GB) == === Harddisk information as reported by hdparm -i === <pre>Model=WDC WD80EB-28CGH1, FwRev=24.84G24, SerialNo=*************** Config={ HardSect NotMFM HdSw&gt;15uSec SpinMotCtl Fixed DTR&gt;5Mbs FmtGapReq } RawCHS=15509/16/63, TrkSize=57600, SectSize=600, ECCbytes=40 BuffType=DualPortCache, BuffSize=768kB, MaxMultSect=16, MultSect=off CurCHS=15509/16/63, CurSects=15633072, LBA=yes, LBAsects=15633072 IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120} PIO modes: pio0 pio1 pio2 pio3 pio4 DMA modes: mdma0 mdma1 *mdma2 UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 AdvancedPM=no WriteCache=enabled Drive conforms to: device does not report version: 1 2 3 4 5 </pre> === Detailed information as reported by hdparm -I === <pre>ATA device, with non-removable media Model Number: WDC WD80EB-28CGH1 Serial Number: *************** Firmware Revision: 24.84G24 Standards: Supported: 5 4 3 2 Likely used: 6 Configuration: Logical max current cylinders 15509 15509 heads 16 16 sectors/track 63 63 -- CHS current addressable sectors: 15633072 LBA user addressable sectors: 15633072 device size with M = 1024*1024: 7633 MBytes device size with M = 1000*1000: 8004 MBytes (8 GB) Capabilities: LBA, IORDY(can be disabled) bytes avail on r/w long: 40 Queue depth: 1 Standby timer values: spec'd by Standard, with device specific minimum R/W multiple sector transfer: Max = 16 Current = 0 Recommended acoustic management value: 128, current value: 254 DMA: mdma0 mdma1 *mdma2 udma0 udma1 udma2 udma3 udma4 udma5 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * READ BUFFER cmd * WRITE BUFFER cmd * Host Protected Area feature set * Look-ahead * Write cache * Power Management feature set * Security Mode feature set * SMART feature set Automatic Acoustic Management feature set SET MAX security extension * DOWNLOAD MICROCODE cmd Security: supported enabled not locked not frozen not expired: security count not supported: enhanced erase Security level high HW reset results: CBLID- above Vih Device num = 0 determined by CSEL Checksum: correct </pre> === Hard disk performance measured by hdparm -t === <pre>Timing buffered disk reads: 64 MB in 6.58 seconds = 9.73 MB/sec Timing buffer-cache reads: 128 MB in 3.28 seconds = 39.02 MB/sec </pre> d24ed66bbc3b4603c67052cc010b7a99c5391e6d 0 3764 5587 5534 2017-05-31T08:44:27Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Porting_an_Operating_System_to_the_Xbox_HOWTO}} == Differences == The Xbox hardware consists of standard components, like a Pentium III Celeron CPU, an nForce chipset and IDE DVD and hard disk drives. Still there are a few differences, some of which would make an unmodified operating system crash. === Chipset === The Xbox chipset is basically an nVidia nForce 420, but with a GeForce "NV2A" integrated (instead of a GeForce2 MX), and with an Intel instead of an AMD CPU. Here is the output of "lspci" on a PC nForce: <pre>00:00.0 Host bridge: nVidia Corporation nForce CPU bridge (rev b2) 00:00.1 RAM memory: nVidia Corporation nForce 220/420 Memory Controller (rev b2) 00:00.2 RAM memory: nVidia Corporation nForce 220/420 Memory Controller (rev b2) 00:00.3 RAM memory: nVidia Corporation nForce 420 Memory Controller (DDR) (rev b2) 00:01.0 ISA bridge: nVidia Corporation nForce ISA Bridge (rev c3) 00:01.1 SMBus: nVidia Corporation nForce PCI System Management (rev c1) 00:02.0 USB Controller: nVidia Corporation nForce USB Controller (rev c3) 00:03.0 USB Controller: nVidia Corporation nForce USB Controller (rev c3) 00:04.0 Ethernet controller: nVidia Corporation nForce Ethernet Controller (rev d2) 00:05.0 Multimedia audio controller: nVidia Corporation: Unknown device 01b0 (rev c2) 00:06.0 Multimedia audio controller: nVidia Corporation nForce Audio (rev c2) 00:08.0 PCI bridge: nVidia Corporation nForce PCI-to-PCI bridge (rev c2) 00:09.0 IDE interface: nVidia Corporation nForce IDE (rev c3) 00:1e.0 PCI bridge: nVidia Corporation nForce AGP to PCI Bridge (rev b2) 02:00.0 VGA compatible controller: nVidia Corporation NVCrush11 [GeForce2 MX Integrated Graphics] (rev b1) </pre> On the Xbox, the output looks like this: <pre>00:00.0 Host bridge: nVidia Corporation: Unknown device 02a5 (rev a1) 00:00.3 RAM memory: nVidia Corporation: Unknown device 02a6 (rev a1) 00:01.0 ISA bridge: nVidia Corporation nForce ISA Bridge (rev d4) 00:01.1 SMBus: nVidia Corporation nForce PCI System Management (rev d1) 00:02.0 USB Controller: nVidia Corporation nForce USB Controller (rev d4) 00:03.0 USB Controller: nVidia Corporation nForce USB Controller (rev d4) 00:04.0 Ethernet controller: nVidia Corporation nForce Ethernet Controller (rev d2) 00:05.0 Multimedia audio controller: nVidia Corporation: Unknown device 01b0 (rev d2) 00:06.0 Multimedia audio controller: nVidia Corporation nForce Audio (rev d2) 00:06.1 Modem: nVidia Corporation Intel 537 [nForce MC97 Modem] (rev d1) 00:08.0 PCI bridge: nVidia Corporation nForce PCI-to-PCI bridge (rev d2) 00:09.0 IDE interface: nVidia Corporation nForce IDE (rev d4) 00:1e.0 PCI bridge: nVidia Corporation nForce AGP to PCI Bridge (rev a1) 01:00.0 VGA compatible controller: nVidia Corporation: Unknown device 02a0 (rev a1) </pre> PCI bus 0 is almost identical, except for the Xbox only having a single memory controller. Bus 1 on the PC contains all PCI cards. Since the Xbox does not support PCI cards, the AGP bus on the Xbox is bus 1 instead of bus 2. ==== PCI Enumeration Bug ==== These two differences between the PC and the Xbox version of the nForce chipset have introduced three bugs into the chipset that all have to do with PCI enumeration: * The nonexistent memory controllers at 0:0.1 and 0:0.2 are completely broken: If you try to probe them, i.e. read out their PCI IDs, the Xbox freezes. * There are ghost devices on bus 1, after the video controller (1:0.0). You get garbage if you try to probe them. * The same is true for the complete bus 2. So if your operating system scans the PCI bus in order to find out what drivers need to be loaded for the PCI devices, do not touch 0:0.1 and 0:0.2. The easiest fix would be to start the PCI enumeration with 0:1.0, as the first few devices need no driver anyway, but the following code, taken from the Xbox Linux kernel, handles this better and also hides the ghost devices: <pre>if (mach_pci_is_blacklisted(bus, PCI_SLOT(devfn), PCI_FUNC(devfn))) return -EINVAL; static inline int mach_pci_is_blacklisted(int bus, int dev, int fn) { if(machine_is_xbox) { return (bus &gt; 1) || ((bus != 0) &amp;&amp; ((dev != 0) || (fn != 0))) || (!bus &amp;&amp; !dev &amp;&amp; ((fn == 1) || (fn == 2))); } } </pre> Note that some operating systems (or even some applications) repeat the PCI enumeration later: On Unix systems, the XFree86/X.org X Window servers for example do that, but this can be deactivated using a configuration parameter (or of course patched in the source code). ==== No Keyboard Controller ==== The Xbox is a legacy free PC, so it does not contain a so-called "Super-I/O Chip" which includes old ISA hardware such as * serial port * parallell port * floppy disk controller * keyboard controller In general, this should be no problem for any operating system; there is just one thing: Many operating systems (such as Linux up some 2.4.x version) assume that every PC has a keyboard controller (although this is not true for many embedded x86 as well as Itanium systems), and therefore statically allocate interrupt line 1 for the keyboard controller. The problem is that the original Xbox hardware initialization code (as well as Cromwell) put the first USB controller on interrupt 1, so if the operating system already has it allocated, the first USB controller will not work. On a 1.0 Xbox this means that no USB devices (including, ironically, a keyboard) will work, while on later boxes this only affects two of the four connectors. So make sure that your operating system checks for a keyboard controller and allocates no interrupt if it does not exist. The following code, taken from the Linux kernel, shows how to check for a keyboard controller: <pre>#define kbd_read_input() inb(KBD_DATA_REG) #define kbd_read_status() inb(KBD_STATUS_REG) if (kbd_read_status() == 0xff &amp;&amp; kbd_read_input() == 0xff) kbd_exists = 0; </pre> ==== Timer Frequency ==== The system timer inside the "8254 PIT" unit of the chipset on a PC has a base frequency of 1.193182 MHz. The number of task switches, the system clock and all timing for multimedia is usually based on the interrupts generated by the PIT unit. For some unknown reason, this base frequency is 1.125000 MHz on the Xbox, which is about 6% lower. If your operating system does not handle this difference, multimedia plays at the wrong speed and the system clock (if you have a software clock and do not use the hardware clock) will be incorrect quite quickly. So all you have to do is to search for the constant of 1193182 (sometimes it is 1193180) and replace it with code like this: <pre>timer_base = machine_is_xbox? 1125000 : 1193182; </pre> In case your operating system defines this as a constant, you have to change it into a variable and make sure it is assigned early enough. In this case, it should be a good idea to assign it as soon as you detect whether the machine is an Xbox. ==== Reboot and Poweroff ==== The Xbox chipset has no ACPI capabilities, so it is not possible to shut it down using the ACPI protocol. It is also not possible to reset the Xbox like a PC, because it lacks the keyboard controller which usually includes this feature. Both these functions are handled by the "System Management Controller" SMC (also called the "PIC"), which is a device on the SMBus. In order to communicate with a device on the SMBus, you need a driver for the Xbox SMBus controller, which is AMD754 compatible. Linux for example includes this driver. But there is no need to statically include a complete bus driver just for this simple function: The SMBus on the Xbox is simple enough to be controlled with just two small C functions. The following code is all you need: <pre>#define XBOX_SMB_IO_BASE 0xC000 #define XBOX_SMB_GLOBAL_ENABLE (0x2 + XBOX_SMB_IO_BASE) #define XBOX_SMB_HOST_ADDRESS (0x4 + XBOX_SMB_IO_BASE) #define XBOX_SMB_HOST_DATA (0x6 + XBOX_SMB_IO_BASE) #define XBOX_SMB_HOST_COMMAND (0x8 + XBOX_SMB_IO_BASE) #define XBOX_PIC_ADDRESS 0x10 #define SMC_CMD_POWER 0x02 #define SMC_SUBCMD_POWER_RESET 0x01 #define SMC_SUBCMD_POWER_CYCLE 0x40 #define SMC_SUBCMD_POWER_OFF 0x80 static void xbox_pic_cmd(u8 command) { outw_p(((XBOX_PIC_ADDRESS) &lt;&lt; 1), XBOX_SMB_HOST_ADDRESS); outb_p(SMC_CMD_POWER, XBOX_SMB_HOST_COMMAND); outw_p(command, XBOX_SMB_HOST_DATA); outw_p(inw(XBOX_SMB_IO_BASE), XBOX_SMB_IO_BASE); outb_p(0x0a, XBOX_SMB_GLOBAL_ENABLE); } void xbox_power_reset(char * __unused) { xbox_pic_cmd(SMC_SUBCMD_POWER_RESET); } void xbox_power_cycle(char * __unused) { xbox_pic_cmd(SMC_SUBCMD_POWER_CYCLE); } void xbox_power_off(void) { xbox_pic_cmd(SMC_SUBCMD_POWER_OFF); } </pre> ''xbox_power_reset'' just resets the system while ''xbox_power_cycle'' turns it off and turns it back on after half a second. Please note that the above SMBus code lacks error detection and should not be used in the general case. === DVD Driver === Although the DVD drives in the Xbox are basically standard IDE drives, there are some differences, some due to protection issues, and some because of bugs in their firmwares. ==== Reset on Eject ==== On the PlayStation, it was possible to trick the console into loading copies by inserting an original, having the CD checked and quickly replacing it with a copy. The designers of the Xbox made this trick impossible by having an additional security chip, the SMC, which resets the system if the user presses the eject button or even tries to manually eject the tray. But the system does not ''always'' reset in this case. In the Xbox Dashboard, for example, it is possible to open the tray. Every time the user presses the eject button or the tray opens (for example if the drive ejects on request of software), the PIC sends an EXTSMI# interrupt to the CPU. If the software running on the CPU handles this interrupt and sends back a message to the PIC, then the system will not be reset. The code in [[arch/i386/mach-xbox/reset-on-eject.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/arch/i386/mach-xbox/reset-on-eject.c?rev=1.2&amp;view=auto'') in the Xbox Linux kernel handles this. Again, you need SMBus code to talk to the SMC. ==== DVD Drive Bugs ==== Microsoft uses several different DVD drives in the Xbox, some of which have its compatibility problems: {| border="1" |- | '''drive string''' | '''problems''' |- | "THOMSON-DVD" | pretends it cannot play audio or dvds; does not understand the ATAPI eject command |- | "PHILIPS XBOX DVD DRIVE" | does not understand the ATAPI eject command |- | "PHILIPS J5 3235C" | pretends it cannot play audio or dvds |- | "SAMSUNG DVD-ROM SDG-605B" | no issues |} In addition, none of these drives respect door locking when the user presses the eject button. So if you do nothing, some drives won't respond to software eject commands, and some will refuse to play DVD or audio content, because the player software thinks the drive cannot do it. If you want to support all these DVD drives completely, you have to add some code to the ATAPI CD/DVD driver code in your operating system, which probably already includes some tests for other devices, because many CD/DVD drives report incorrect capabilities. The table above includes the exact string identifiers for these Xbox DVD drives, so you can easily check for them. If the drive does not understand the ATAPI eject command (as well as the load command), you have to issue an eject command to the SMC. The file [[include/linux/xbox.h]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/include/linux/xbox.h?rev=1.1&amp;view=auto'') includes the code you will need. The following two lines are taken from this file: <pre>#define Xbox_tray_load() Xbox_SMC_write(SMC_CMD_EJECT, SMC_SUBCMD_EJECT_LOAD); #define Xbox_tray_eject() Xbox_SMC_write(SMC_CMD_EJECT, SMC_SUBCMD_EJECT_EJECT); </pre> Please note that having an Xbox DVD drive installed does not necessarily mean that we are running on an Xbox. It is possible (although impractical, because of the incompatible power connectors) to use them in a standard PC. So if the drive does not understand the ATAPI eject command, and we are not running on an Xbox, there is no way to eject the tray, as the drive does not even have its own eject button - and you should of course not send SMC commands on the PC. The Linux implementation of this behaviour can be found in [[drivers/ide/ide-cd.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/drivers/ide/ide-cd.c?rev=1.13&amp;view=auto''). When detecting the drives, the driver notes in the drive's kernel structure whether it is an Xbox drive and whether it can eject, and corrects the incorrect capabilities. As the physical eject button, which is connected to the SMC, does not respect whether the tray is supposed to be locked, the driver simulates this in software. Locking/unlocking the door: <pre>if (xbox_drive &amp;&amp; machine_is_xbox) { simulated_lock = lock; } </pre> Ejecting/loading: <pre>if (machine_is_xbox &amp;&amp; xbox_drive &amp;&amp; cannot_eject) { if (load) { Xbox_tray_load(); } else { simulated_lock = 0; Xbox_tray_eject(); } return; } </pre> The reset-on-eject driver, which catches eject button presses, should then also respect the flag "simulated_lock" and not open the door if it is locked in software. Please also note that although certain capability flags of the Xbox drives are correct, software can still have a problem with them. An example on Unix is cdparanoia: If a CD drive has a headphone, then it assumes it must support playing audio CDs. This is logical. But cdparanoia assumes that if a drive has no headphone jack, it does not support audio CDs, but this is not true. All Xbox DVD drives can rip audio CDs, although they all have no headphone jack (and correctly report that). === Video Driver === Fully supporting the Xbox video hardware could mean a lot of work (or at least a lot of copying from the Xbox kernel). But there is no need to implement a complete video driver. Both bootloaders provided by the Xbox Linux project set up a 640x480 screen (32 bit colour, RGBX), which is useful for many setups. This linear framebuffer lies at the top of memory (around 60 MB) and can be used by your operating system without ever touching any video registers. This just works like the VESA modes supported by most operating systems, which get set up by the boot loader (using BIOS functions) and never get switched afterwards. Have a look at the bootloader section to learn how to find out where this framebuffer is located. If you want full support, you can reuse driver code for nVidia video hardware, as the Xbox video hardware is fully nVidia compatible. The problem is just that the Xbox does not have a VGA RAMDAC, but a PAL/NTSC video encoder (which is connected through the SMBus), so you always need to make sure when you set up a new mode that the video encoder is also correctly set up, or else you will get garbage on the screen. Unfortunately, there is one of three incompatible video encoders in every Xbox: The first Xboxes used Connexant chips (1.0 to 1.3), later ones used Focus components (1.4 and 1.5), and 1.6 Xboxes include an integrated Xcalibur unit. That is why you might have to copy a lot of code from the Xbox Linux kernel and have others with different Xboxes test your code. You can find all this code in [[drivers/video/xbox/*]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/drivers/video/xbox/''). === Hard Disk === The Xbox includes a standard 8 or 10 GB hard disk. For security reasons (the user should be unable to just connect it to a PC) they are locked with an ATA password, but as the firmware already unlocks it, you should not have to care about this, unless you send ATA reset commands to the drive - which you should avoid. Nevertheless, you might want your operating system to coexist with the Xbox system software, then you have to respect the existing partitioning and install it (probably as an image file) onto an existing partition. ==== Xbox Partitioning ==== The Xbox uses an implicit partitioning scheme, which is described in the articles [[Xbox Partitioning and Filesystem Details]] and [[Xbox Hard Disk Partitioning]]. In order to detect whether the hard drive is Xbox-partitioned, you have to check for the "BRFR" magic value, which must always be present. If this is too little evidence for you, you can also check for the "FATX" header in the "System Files" (C:) partition, but you should not assume any more FATX headers. You should also create a sixth partition for the space between 8 GB and 137 GB, and a seventh partition for the space above 137 GB in order to be compatible with patched Xbox kernels that work with larger hard disks. You might want to consider allowing two partitioning systems active at the same time: Xbox partitioning, which defines (at least) the lowermost 8 GB, and standard PC partitioning using a PC partition table (the first sector on the hard disk is unused). Therefore, in Xbox Linux, the Xbox partitions are assigned the numbers 50 to 56, while the Pc partitions start with 1. In Xbox Linux, this code is located in [[fs/partitions/check.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/fs/partitions/check.c?rev=1.9&amp;view=auto'') and [[fs/partitions/xbox.c xbox.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/fs/partitions/xbox.c?rev=1.7&amp;view=auto''). ==== FATX filesystem ==== On the hard disk, the Xbox exclusively uses the FATX filesystem, which is a simplified version of FAT16/FAT32. The articles [[Xbox Partitioning and Filesystem Details]] and [[Differences between Xbox FATX and MS-DOS FAT]] explain FATX in detail. === Peripherals === ==== Xbox Gamepad ==== The Xbox gamepad is a USB device with a proprietary protocol, which you can find in the Xbox Linux kernel in [[drivers/usb/input/xpad.c]] (''http://cvs.sourceforge.net/viewcvs.py/xbox-linux/kernel-2.6/drivers/usb/input/xpad.c?rev=1.5&amp;view=auto''). You might want to add emulation for mouse and/or keyboard as well. ==== Remote Control ==== The remote control is similar to the gamepad. Keyboard and mouse emulation may make sense for it as well. &lt;! --==== Xbox Live Headset ==== --&gt; === Other System Components === ==== USB ==== The Xbox has a standard OHCI host controller, which your operating system hopefully supports out of the box. ==== Ethernet ==== The Ethernet controller of the Xbox is an nForce "nvnet". The Linux driver [[forcedeth]] (''http://www.hailfinger.org/carldani/linux/patches/forcedeth/'') supports it completely. === Sensors === There are two temperature sensors on the Xbox (CPU and system). Standard Linux drivers support them. You can control the system fan using the SMC. See the Xbox Linux "tools" source code for details. 2aec105edb9d24fd5943512ba3d088a3cfa4cdf8 0 3767 5588 5541 2017-05-31T08:44:43Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview}} The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == The CPU is a standard Pentium III Coppermine mobile at 733 MHz. This CPU has been found to be a modified Pentium III, as it has many of the features a Celeron lacks. Therefore, it can be classified as a Pentium III with a smaller cache. (Regular has 256kb or more, XBox has 128kb) == Flash ROM == The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MB; 0xFFFC0000, if the ROM is 256 KB) into the but the Xbox kernel. == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == The PIC16LC is a small 8 bit processor running at 20 MHz with its own ROM, RAM and I/O lines. It controls: * Power button * Eject button * Power/error LED * DVD tray status (through extra pins to DVD drive) * Video cable type (3 pins) The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. == Video Encoder == The Xbox does not use an ordinary [https://web.archive.org/web/20100617022211/http://en.wikipedia.org/wiki/RAMDAC RAMDAC] for video output. Instead, it employs a <em>video encoder</em>. Video encoder is a chip that converts a digital pixel data stream (coming from the nVidia NV2A graphics processor) into analog video signal, just like a RAMDAC would. An ordinary RAMDAC, however, can only output VGA-style RGB signal. The video encoder used in the Xbox is more flexible, and can generate several different types of signals that adhere to various video standards and color formats. These include, but are not necessarily limited to: * VGA-style &gt;31 kHz RGB, though only with Sync-on-Green sync signals. (If needed, separate HSYNC and VSYNC signals can be obtained from the motherboard, or by building a special video cable with active electronics for stripping and separating the Sync-on-Green sync signal. In any case, separate HSYNC and VSYNC are not available directly through the AV connector.) * TV-compatible 15 kHz RGB (with composite sync) &ndash; suitable for European-style SCART RGB output (are progressive 625/50 signals supported?) * Component (Y'PbPr) signal, both in SDTV and HDTV resolutions; suitable for American-style "component" output * PAL color signal with typical PAL timings (including PAL60), in both composite (CVBS) and s-video (Y/C) formats * SECAM color signal with typical SECAM timings, in both composite (CVBS) and s-video (Y/C) formats * NTSC color signal with typical NTSC timings, in both composite (CVBS) and s-video (Y/C) formats * Black and white composite video signal without a color carrier The video encoder is also capable of PALplus style Line 23 Wide Screen Signalling (WSS), and the Xbox PIC is rigged with the capability of controlling Scart pin 8 (the ''function switching pin'', which is used as an alternative method of Wide Screen Signalling) and pin 16 (the ''fast switching pin''.) The make and model of the video encoder has varied through the times &ndash; three different video encoders have been used this far. All three are very similar in their features; they support various modes and are flexible enough to be able to output a VGA compatible signal (which is not supported by the Xbox kernel.) They are, however, not register-compatible. Two of the video encoders (namely, Conexant CX25871 and Focus FS454) also have extensive scaling and filtering functionality, which allows for [https://web.archive.org/web/20100617022211/http://scanline.ca/overscan/ overscan compensation] in desktop-style "TV out" usage. (This means that the GPU can output ordinary VGA resolutions with VGA timings and the video encoder can convert them to SDTV resolutions with TV-style timings on the fly, adding borders around the image so that a projection of the VGA framebuffer image falls within the "safe area" of the video signal.) The capabilities of the Xcalibur chip, however, remain a mystery in this regard: it is not known whether it has a scaler. All video encoders are connected to (and controlled via) <a href="/web/20100617022211/http://www.xbox-linux.org/wiki/SMBus_Controller" title="SMBus Controller">I²C/SMBus</a>. === Conexant CX25871 === [https://web.archive.org/web/20100617022211/http://www.conexant.com:9000/cgi-bin/query?mss=srchprod&amp;pg=q&amp;i=IDXPRODSRCH&amp;q=cx25870 Conexant CX25871] is a close relative of the Brooktree BT868/BT869. There is also a sister model (CX25870) without the Macrovision capability. This chip was used in Xbox versions v1.0 through v1.3. If you follow the link, you will find a product brief and a complete data sheet, with register-level programming information. === Focus FS454 === [https://web.archive.org/web/20100617022211/http://www.focusinfo.com/solutions/catalog.asp?id=30 Focus FS454] was used in v1.4 (and possibly v1.5) Xboxes. There is also a sister model (FS453) without the Macrovision capability. The data sheet containing the necessary programming information is available from the manufacturer by separate request. Copies of it have also been seen floating around the net. === Xcalibur === The "Xcalibur" video encoder is a custom chip manufactured for Microsoft. It was first used in the Xbox hardware revision 1.6. The Xbox-Linux support the Xcalibur video encoders is very limited at present (see <a href="/web/20100617022211/http://www.xbox-linux.org/wiki/Xbox_v1.6_Issues" title="Xbox v1.6 Issues">Xbox v1.6 Issues</a>). The reason for this is that there is, at least currently, no official programming documentation available for this chip. It seems the only way to find out more is through reverse-engineering techniques. Xboxes that contain the Xcalibur encoder have the firmware ROM and the PIC physically integrated into another MS-specific chip, named Xyclops. == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == The Serial EEPROM holds some settings, such as time zone, language, IP address etc., as well as the hard disk key and the Xbox serial number. == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == The Xbox graphics hardware is VGA compatible and very similar to existing nVidia graphics cards. = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting afa68697971e59775ab4c0d1528ce3afd542701f 0 3768 5589 5542 2017-05-31T08:44:59Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/DVD-IR_Internals}} by ''Rob Reilink'', 3 Mar 2003 ==Introduction== The DVD-IR remote receiver is a part of the DVD kit which allows you to view DVDs on your Xbox. It comes together with a remote controller. Although it may seem just a simple microcontroller device with a receiver module, there is something more inside which could make it even more interesting. ==Pictures== Ok, let's start with the pictures from the internals: '''Missing image'''<br />''Dvdirfront.jpg'' <br />Image:Dvdirfront.jpg<br /><br /> '''Missing image'''<br />''Dvdirback.jpg'' <br />Image:Dvdirback.jpg<br /><br /> ==IC's== So, what is inside and what does it do? * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. ==Hacking!== As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. It should be noted though, that the ROM is probably scrambled. Also, the microcontroller could encrypt the data even more. As the mask ROM is not a proprietary device, it is known not to contain any encryption hardware. On the other hand is it quite reasonable to assume Microsoft also signed this piece of code, and the dashboard might refuse to run it if it is not signed. 79e8c2f2bc1c35375fdf6234bec9e7f1ab8908fd 0 3775 5590 5580 2017-05-31T08:45:17Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process}} by ''Michael Steil'' There are many different Xboxes. Although they all look the same (except for the "Special Edition"), and all of them work with all games, they have been produced in three different factories and may contain different components. This article describes the "reverse-engineered" internals of Xbox manufacturing. ==The Serial Number== Every Xbox has a sticker on the bottom that looks like this: <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/serial-sticker.jpg" alt="serial-sticker.jpg" /> It contains the manufacturing date and the 12-digit serial number: <pre>1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> <br /> Three factories have produced the Xbox. Mexico (Guadalajara) is "02", Hungary (S�rv�r) is "03" and China (Doumen) is "05". So this Xbox has been manufactured in week #9, 2002 in line 1 of the factory in Hungary, and it was number 166,356 of this week. ==Factories== {| class="wikitable" |- | '''Date''' | '''Mexico''' | '''Hungary''' | '''China''' |- | 10/2001 | Production of 110V 1.0 Xboxes with Thomson drives is started for the USA/Canada market. | Production of 110V 1.0 Xboxes with Thomson drives is started for the USA/Canada market. |- | 01/2002 | Production gets extended for Japan. | Complete switch to 220V European/Australian models. |- | 04/2002 | Production lines #1 and #6 get closed and get moved to China. The other four lines continue production. The first Xboxes with Philips DVD drives are made, now 50% of all Mexican devices have Philips, and 50% have Thomson. | |- | 05/2002 | | Production stops after only less than 9 months, and after about 3 Million Xboxes. All four production lines get moved to China. |- | 08/2002 | | | Production of the 220V 1.1 Xbox for Europe and Australia only begins, with mostly Philips and sometimes Thomson DVD drives. |- | 09/2002 | | | First Samsung DVD drives. Most Xboxes now contain Samsung devices, a few contain Philips ones, and very few still contain Thomson ones. |- | 10/2002 | Switch the remaining four lines to version 1.1. | | |- | 11/2002 | | | Production gets extended by 110V USA/Canada/Japan models. |- | 12/2002 | Production ends after 14 months, and after nearly 7 Million Xboxes. | | First line changes to version 1.2 |- | 02/2003 | | | Last line changes to version 1.2 |- | 03/2003 | | | First line changes to version 1.3 |- | 04/2003 | | | Last line changes to version 1.3 |- | 07/2003 | | | First line changes to version 1.4 |- | 08/2003 | | | First line changes to version 1.5 |} Look at the <a href="/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Versions_HOWTO" title="Xbox Versions HOWTO">Xbox Versions HOWTO</a> for details on when which Chinese line switched to a new version. ==Manufacturing Process== (Please note that a lot of this information has been concluded from implicit information, it may contain errors.) When a computer such as the Xbox is manufactured, three very different tasks have to be done: * assemble the hardware * copy the software on the hardware * test the device The most interesting part about this is when the software is copied, and when and how the device is tested, because there is a lot of room for optimization. Not counting the firmware of independent components such as the HD, the DVD and the SMC, the Xbox contains three pieces of software: * The Xbox kernel in Flash ROM * The hard disk contents (and hard disk key) * The EEPROM contents It depends on the device whether it is more convenient to program it before putting it into the Xbox or doing in-system-programming. ===Putting the System together=== The Flash ROM chips gets programmed externally with the final Xbox kernel and then gets soldered onto the Xbox motherboard. The EEPROM is empty when it gets soldered onto it. So is the hard disk when it gets connected. ===The Installation CD=== So when the Xbox is complete, but the EEPROM and the hard disk are still empty and the hard disk is not locked yet, an optical media gets inserted into the DVD drive (this needn't be an Xbox DVD), which contains a properly retail-signed default.xbe built with the XDK that has the allow eject flag set and has the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from CD, which does the following: * format the three swap partitions * copy XMTAXBOX.XBE from CD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. ===XMTAXBOX.XBE=== This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: * retrieve the EEPROM contents from a network server * retrieve the contents of the system and data partitions from a network server * lock the hard disk * make some self tests and send the report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/repairdvd.jpg" alt="repairdvd.jpg" /> <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/xboxqc.jpg" alt="xboxqc.jpg" /> [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-01/articles/16-01_26.asp] == Further Reading == * [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process_Pictures Xbox Manufacturing Process Pictures] * [https://web.archive.org/web/20100617013616/http://www.ifm.eng.cam.ac.uk/ctm/idm/cases/xbox.html] Innovation and Design Management case study * O'Brien, J. [https://web.archive.org/web/20100617013616/http://www.wired.com/wired/archive/9.11/flex_pr.html The making of the Xbox], Wired, Issue 9.11, November 2001 * Shah, J. and Serant, C. [https://web.archive.org/web/20100617013616/http://www.ebnonline.com/story/OEG20020311S0076 Microsoft's Xbox sets supply chain standard], EBN Online, 11 March 2002 * Olavsrud, T. [https://web.archive.org/web/20100617013616/http://www.internetnews.com/bus-news/article.php/1129171 Flextronics relocates Xbox manufacturing facility], Internetnews.com, 15 May 2002 * Penz, B. [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-06/articles/16-06_27.asp Game Over? Xbox production heads east], Business Hungary, Vol 16 No 6, June 2002 * Carbone, J. [https://web.archive.org/web/20100617013616/http://manufacturing.net/pur/article/CA237778?stt=001&amp;pubdate=08%2F15%2F02 Outsourcing the Xbox], Purchasing Magazine Online, 15 August 2002 * Neilley, R: [https://web.archive.org/web/20100617013616/http://www.immnet.com/articles?article=1763 Molding is big man on this campus] 7672a73cecbf11fc91b293c82db65208a99b38ae 0 3774 5591 5578 2017-05-31T08:45:41Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617021545/http://www.xbox-linux.org/wiki/Xbox_Savegame_System}} The Xbox savegame management system is a simple organizational system that allows users to manage their saved games, downloaded contents from Xbox LIVE, and copy savegames to memory units. ==Overview== The Xbox savegame system uses folders and metadata to organize savegames according to its game, type, and name (in that order). All game-generated data are stored in either E:\UDATA or E:\TDATA. The UDATA folder is generally used to store gamesaves (user data), and the TDATA folder is generally used to store LIVE contents and other configurations (such as downloaded levels, high-score tables, game updates, and other miscellaneous configurations). These are the universal elements of gamesaves: * A title meta (universal) * A title image (universal) * A save title * A save image Saves are nested individually inside the game's folder, which are nested inside the game-data folders (UDATA and TDATA). Every XBE that had ever run will have a folder for itself in both of the game-data folders (however, the Xbox Dashboard is a special case). ==Structure Layout== Here's a typical layout of a the savegame folders, shown with Splinter Cell and Xbox Dashboard Music. <pre>+-E: +-TDATA | +-5553000c | | +-audiovideo.par | | +-contentimage.xbx | +-fffe0000 | +-music | +-ST.DB +-UDATA +-5553000c +-8E6AA806E588 | +-GMMAN_Profile.sg1 | +-GMMAN_Profile.sg2 | +-GMMAN_Profile.sg3 | +-Profile.inf | +-SaveMeta.xbx +-SaveImage.xbx +-TitleImage.xbx +-TitleMeta.xbx</pre> As you can see, in the top level there are two folders, TDATA and UDATA. Under each of those folders are folders named according to the game's ID (for example, Splinter Cell's ID is 5553000c). They are in both TDATA and UDATA folders. ===UDATA Folder=== The UDATA folder is generally used to store user content, such as save games, settings, and user-created customizations. Under this folder are folders for each individual game, named by their ID number. Under every game folder, there are two files: TitleImage.xbx and TitleMeta.xbx. ====TitleImage.xbx==== TitleImage.xbx is a 128*128px Xbox texture, used for displaying the game's logo at the left of the game's section in the Memory browser. If this file is missing or corrupted, a generic Xbox logo will be displayed in its place. ====TitleMeta.xbx==== TitleMeta.xbx is a text file for indicating what title of the game would be displayed in the Memory browser. The title is taken from the embedded title of the executable that created the game folder (ie. if you run Splinter Cell's default.xbe first, the title will be "Splinter Cell". If you run its downloader.xbe (same game ID), the title will be "Downloader"). If this file is missing or corrupted, the game's title will be displayed as "Unknown Title". The structure for TitleMeta.xbx is: <pre> TitleName=Game Name</pre> In the case of Splinter Cell, it is <code>TitleName=Splinter Cell</code>. =====Localization===== The TitleMeta.xbx file may contain localization: <pre> [default] TitleName=Network Configurations [EN] TitleName=Network Configurations [JA] TitleName=ネットワーク設定データ [DE] TitleName=Daten für Netzwerkeinstellungen [FR] TitleName=Données des paramètres réseau [ES] TitleName=Datos de configuración de red [IT] TitleName=Dati impostazioni di rete [KO] TitleName=네트워크 설정 데이터 [TW] TitleName=網路設定資料 [BR] TitleName=Dados de Configurações da Rede</pre> There is a separate TitleName entry listed under each of the languages. The entry under <code>[default]</code> will be used if a localized game title cannot be found in this file for the current system language. ===Gamesaves=== Each individual gamesave or game profile is under the game's folder in the UDATA folder. Each save or profile has its own folder. The name of the folders differs from game to game, as there is not set format for the name of a save folder. Ie. one game may choose to name its save folder as "001aecf7", another game may name the save folder as "Profile01". There is always a SaveMeta.xbx file under the folder, and there may also be a SaveImage.xbx file there. Each save folder may contain whatever data that is needed for a valid save. ====SaveMeta.xbx==== SaveMeta.xbx is very similar to TitleMeta.xbx. This defines the name of a save and is displayed on the left side of the screen when the save is selected. If this file is missing or corrupted, the gamesave's name will be displayed as "Corrupted Save". Its format is as the following: <pre> Name=Save Name</pre> In the case of a Splinter Cell game save, it is something like <code>Name=GMMAN_Profile</code>. ====SaveImage.xbx==== SaveImage.xbx is a 64*64px Xbox texture, used to represent an individual save folder. It'll be located in the game's folder under the UDATA folder if all of the saves use the same image (to avoid unnecessary duplication), or under each individual save folder, if there are different kinds of saves located in each folder. The gamesave folder's SaveImage.xbx has precedence over the game folder's SaveImage.xbx. If this file is missing or corrupted, a generic Xbox logo will be in its place. Universal save image: <pre> +-UDATA +-5553000c +-SaveImage.xbx</pre> Individual save image: <pre> +-UDATA +-4d530013 +-129E1A3F1B2A +-SaveImage.xbx</pre> ===TDATA Folder=== The TDATA folder is similar in structure to the UDATA folder. However, it is used to store Xbox LIVE contents, game configurations, and other miscellaneous data. With the TDATA game folders, there is no specific structure, so games may store whatever file it needs wherever inside its game folder. ====contentimage.xbx==== Contentimage.xbx is used in the same way as SaveImage.xbx, except that it is used specifically to indicate downloaded contents. ==Special Case of Xbox Dashboard== The Xbox Dashboard does not abide by these structures. For one, it doesn't have a UDATA folder, and in the TDATA folder it doesn't have any .xbx files. However, in its TDATA folder (E:\TDATA\fffe0000), there is a folder named <code>music</code>. Inside it is a file named <code>ST.DB</code> and several folders with hexadecimal names. This is where soundtracks are stored. If you go into the LIVE Dash's "Test Connections" screen and press the Black button, a folder that follows the structure will be created under the game folder fffe0000 under the UDATA folder. This contains diagnostic information about the connection to Xbox LIVE. ==Other Occurrences in the UDATA and TDATA Folders== * Under the Dashboard's TDATA game folder, a blank file named &lt;code&gt;NoisyCamera&lt;/code&gt; may be present. This is a marker for an Easter egg on the main menu of the Dashboard. Toggle it the same way as the full-screen visualization egg. * Under the UDATA folder, there may be a file named &lt;code&gt;NICKNAME.XBN&lt;/code&gt;. This stores the Xbox's nickname for online games. ==Application to Xbox-Linux== One way the Xbox-Linux project can take advantage of the gamesave system is by having a all Xbox-Linux distributions reside inside an Xbox-Linux game folder. Each individual distribution would be a "gamesave." For example, suppose that the Xbox-Linux project uses the game ID <code>ffffff00</code> and that we're using Xebian as the distro. Here would be the layout of the files following the gamesave structure: <pre>+-E: +-TDATA | +-ffffff00 | +-linuxboot.cfg +-UDATA +-ffffff00 +-debian | +-initrd | +-rootfs | +-SaveImage.xbx | +-SaveMeta.xbx | +-swap | +-vmlinuz +-TitleImage.xbx +-TitleMeta.xbx</pre> Xromwell would search the gamesave directories for linuxboot.cfg and have a special method of handling of a special tag for the gamesave system, so that the following would point to the Xebian files in the UDATA structure: <pre>title Xebian kernel&nbsp;!gs/debian/vmlinuz initrd&nbsp;!gs/debian/initrd append init=/linuxrc root=/dev/ram0 kbd-reset xbox=fatx_e:/UDATA/ffffff00/debian ramdisk_blocksize=4096 xboxfb y</pre> Contents of SaveMeta.xbx: <pre> Name=Xebian</pre> Contents of TitleMeta.xbx: <pre> TitleName=Xbox-Linux</pre> SaveImage.xbx would show the Debian logo, and TitleImage.xbx would show Tux. With this arrangement, it would be easy to uninstall or copy Xbox-Linux distributions simply by selecting its icon in the Memory browser. To completely get rid of Xbox-Linux distributions, just select the Tux icon. Distribution on a specially formatted USB drive would also be possible: create a pre-installed Linux image with a FATX filesystem, and then <code>dd</code> it onto the flash drive. dc367c9974f77913322fb2a104cfbea920c702f8 5593 5591 2017-05-31T08:50:45Z JayFoxRox 2 /* Structure Layout */ wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617021545/http://www.xbox-linux.org/wiki/Xbox_Savegame_System}} The Xbox savegame management system is a simple organizational system that allows users to manage their saved games, downloaded contents from Xbox LIVE, and copy savegames to memory units. ==Overview== The Xbox savegame system uses folders and metadata to organize savegames according to its game, type, and name (in that order). All game-generated data are stored in either E:\UDATA or E:\TDATA. The UDATA folder is generally used to store gamesaves (user data), and the TDATA folder is generally used to store LIVE contents and other configurations (such as downloaded levels, high-score tables, game updates, and other miscellaneous configurations). These are the universal elements of gamesaves: * A title meta (universal) * A title image (universal) * A save title * A save image Saves are nested individually inside the game's folder, which are nested inside the game-data folders (UDATA and TDATA). Every XBE that had ever run will have a folder for itself in both of the game-data folders (however, the Xbox Dashboard is a special case). ==Structure Layout== Here's a typical layout of a the savegame folders, shown with Splinter Cell and Xbox Dashboard Music. *{{fs-drive|E:}} **{{fs-folder|TDATA}} ***{{fs-folder|5553000c}} ****{{fs-file|audiovideo.par}} ****{{fs-file|contentimage.xbx}} ***{{fs-folder|fffe0000}} ****{{fs-folder|music}} *****{{fs-file|ST.DB}} **{{fs-folder|UDATA}} ***{{fs-folder|5553000c}} ****{{fs-folder|8E6AA806E588}} *****{{fs-file|GMMAN_Profile.sg1}} *****{{fs-file|GMMAN_Profile.sg2}} *****{{fs-file|GMMAN_Profile.sg3}} *****{{fs-file|Profile.inf}} *****{{fs-file|SaveMeta.xbx}} ****{{fs-file|SaveImage.xbx}} ****{{fs-file|TitleImage.xbx}} ****{{fs-file|TitleMeta.xbx}} As you can see, in the top level there are two folders, TDATA and UDATA. Under each of those folders are folders named according to the game's ID (for example, Splinter Cell's ID is 5553000c). They are in both TDATA and UDATA folders. ===UDATA Folder=== The UDATA folder is generally used to store user content, such as save games, settings, and user-created customizations. Under this folder are folders for each individual game, named by their ID number. Under every game folder, there are two files: TitleImage.xbx and TitleMeta.xbx. ====TitleImage.xbx==== TitleImage.xbx is a 128*128px Xbox texture, used for displaying the game's logo at the left of the game's section in the Memory browser. If this file is missing or corrupted, a generic Xbox logo will be displayed in its place. ====TitleMeta.xbx==== TitleMeta.xbx is a text file for indicating what title of the game would be displayed in the Memory browser. The title is taken from the embedded title of the executable that created the game folder (ie. if you run Splinter Cell's default.xbe first, the title will be "Splinter Cell". If you run its downloader.xbe (same game ID), the title will be "Downloader"). If this file is missing or corrupted, the game's title will be displayed as "Unknown Title". The structure for TitleMeta.xbx is: <pre> TitleName=Game Name</pre> In the case of Splinter Cell, it is <code>TitleName=Splinter Cell</code>. =====Localization===== The TitleMeta.xbx file may contain localization: <pre> [default] TitleName=Network Configurations [EN] TitleName=Network Configurations [JA] TitleName=ネットワーク設定データ [DE] TitleName=Daten für Netzwerkeinstellungen [FR] TitleName=Données des paramètres réseau [ES] TitleName=Datos de configuración de red [IT] TitleName=Dati impostazioni di rete [KO] TitleName=네트워크 설정 데이터 [TW] TitleName=網路設定資料 [BR] TitleName=Dados de Configurações da Rede</pre> There is a separate TitleName entry listed under each of the languages. The entry under <code>[default]</code> will be used if a localized game title cannot be found in this file for the current system language. ===Gamesaves=== Each individual gamesave or game profile is under the game's folder in the UDATA folder. Each save or profile has its own folder. The name of the folders differs from game to game, as there is not set format for the name of a save folder. Ie. one game may choose to name its save folder as "001aecf7", another game may name the save folder as "Profile01". There is always a SaveMeta.xbx file under the folder, and there may also be a SaveImage.xbx file there. Each save folder may contain whatever data that is needed for a valid save. ====SaveMeta.xbx==== SaveMeta.xbx is very similar to TitleMeta.xbx. This defines the name of a save and is displayed on the left side of the screen when the save is selected. If this file is missing or corrupted, the gamesave's name will be displayed as "Corrupted Save". Its format is as the following: <pre> Name=Save Name</pre> In the case of a Splinter Cell game save, it is something like <code>Name=GMMAN_Profile</code>. ====SaveImage.xbx==== SaveImage.xbx is a 64*64px Xbox texture, used to represent an individual save folder. It'll be located in the game's folder under the UDATA folder if all of the saves use the same image (to avoid unnecessary duplication), or under each individual save folder, if there are different kinds of saves located in each folder. The gamesave folder's SaveImage.xbx has precedence over the game folder's SaveImage.xbx. If this file is missing or corrupted, a generic Xbox logo will be in its place. Universal save image: <pre> +-UDATA +-5553000c +-SaveImage.xbx</pre> Individual save image: <pre> +-UDATA +-4d530013 +-129E1A3F1B2A +-SaveImage.xbx</pre> ===TDATA Folder=== The TDATA folder is similar in structure to the UDATA folder. However, it is used to store Xbox LIVE contents, game configurations, and other miscellaneous data. With the TDATA game folders, there is no specific structure, so games may store whatever file it needs wherever inside its game folder. ====contentimage.xbx==== Contentimage.xbx is used in the same way as SaveImage.xbx, except that it is used specifically to indicate downloaded contents. ==Special Case of Xbox Dashboard== The Xbox Dashboard does not abide by these structures. For one, it doesn't have a UDATA folder, and in the TDATA folder it doesn't have any .xbx files. However, in its TDATA folder (E:\TDATA\fffe0000), there is a folder named <code>music</code>. Inside it is a file named <code>ST.DB</code> and several folders with hexadecimal names. This is where soundtracks are stored. If you go into the LIVE Dash's "Test Connections" screen and press the Black button, a folder that follows the structure will be created under the game folder fffe0000 under the UDATA folder. This contains diagnostic information about the connection to Xbox LIVE. ==Other Occurrences in the UDATA and TDATA Folders== * Under the Dashboard's TDATA game folder, a blank file named &lt;code&gt;NoisyCamera&lt;/code&gt; may be present. This is a marker for an Easter egg on the main menu of the Dashboard. Toggle it the same way as the full-screen visualization egg. * Under the UDATA folder, there may be a file named &lt;code&gt;NICKNAME.XBN&lt;/code&gt;. This stores the Xbox's nickname for online games. ==Application to Xbox-Linux== One way the Xbox-Linux project can take advantage of the gamesave system is by having a all Xbox-Linux distributions reside inside an Xbox-Linux game folder. Each individual distribution would be a "gamesave." For example, suppose that the Xbox-Linux project uses the game ID <code>ffffff00</code> and that we're using Xebian as the distro. Here would be the layout of the files following the gamesave structure: <pre>+-E: +-TDATA | +-ffffff00 | +-linuxboot.cfg +-UDATA +-ffffff00 +-debian | +-initrd | +-rootfs | +-SaveImage.xbx | +-SaveMeta.xbx | +-swap | +-vmlinuz +-TitleImage.xbx +-TitleMeta.xbx</pre> Xromwell would search the gamesave directories for linuxboot.cfg and have a special method of handling of a special tag for the gamesave system, so that the following would point to the Xebian files in the UDATA structure: <pre>title Xebian kernel&nbsp;!gs/debian/vmlinuz initrd&nbsp;!gs/debian/initrd append init=/linuxrc root=/dev/ram0 kbd-reset xbox=fatx_e:/UDATA/ffffff00/debian ramdisk_blocksize=4096 xboxfb y</pre> Contents of SaveMeta.xbx: <pre> Name=Xebian</pre> Contents of TitleMeta.xbx: <pre> TitleName=Xbox-Linux</pre> SaveImage.xbx would show the Debian logo, and TitleImage.xbx would show Tux. With this arrangement, it would be easy to uninstall or copy Xbox-Linux distributions simply by selecting its icon in the Memory browser. To completely get rid of Xbox-Linux distributions, just select the Tux icon. Distribution on a specially formatted USB drive would also be possible: create a pre-installed Linux image with a FATX filesystem, and then <code>dd</code> it onto the flash drive. c5811a8f5cf18a6477e439e647ae4cba500863ce 0 1 5592 5555 2017-05-31T08:48:23Z Espes 2484 /* Development Kits and Tools */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] == Other == * [[Network]] * Find random stuff in [[Resources]] ae2daa9441d86726ebe7aebfbb42c95c8593ac66 5598 5592 2017-05-31T08:52:25Z Espes 2484 /* Emulation */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] == Other == * [[Network]] * Find random stuff in [[Resources]] 37e1490859fe846e23f479a7924a24bb7b0934f6 5611 5598 2017-05-31T09:15:12Z Espes 2484 /* Emulation */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] 9c5757604b8f9c181bfb1f991133c10401dca098 10 3777 5594 2017-05-31T08:50:56Z JayFoxRox 2 Created page with "{{1}}" wikitext text/x-wiki {{1}} 8d1a7ca8f5878e8c4bfb9b4c32e0c531cff7bb58 5609 5594 2017-05-31T09:13:45Z JayFoxRox 2 wikitext text/x-wiki [[File:Drive-harddisk.svg.png|16px]] {{{1}}} b5ea3faa99a09cd2857ac8a6c6b810538517295f 10 3778 5595 2017-05-31T08:51:09Z JayFoxRox 2 Created page with "{{{1}}}" wikitext text/x-wiki {{{1}}} 6c1d7c6d588a87a5e7dd855a9f2baf785578acec 5608 5595 2017-05-31T09:13:21Z JayFoxRox 2 wikitext text/x-wiki [[File:Folder.svg.png|16px]] {{{1}}} 9f2ae6a150d4119839f584354ade0e8c8e06bbeb 10 3779 5596 2017-05-31T08:51:26Z JayFoxRox 2 Created page with "{{{1}}}" wikitext text/x-wiki {{{1}}} 6c1d7c6d588a87a5e7dd855a9f2baf785578acec 5607 5596 2017-05-31T09:12:27Z JayFoxRox 2 wikitext text/x-wiki [[File:Text-x-generic.svg.png|16px]] {{{1}}} e6be5752ecc3b18dc400eb9c3fedd69b197cec4e 5614 5607 2017-05-31T09:24:23Z JayFoxRox 2 wikitext text/x-wiki <!-- Also getting an optional {{{hash}}} --> [[File:Text-x-generic.svg.png|16px]] {{{1}}} ({{{size|Unknown number of}}} bytes}}}) 1355b8c9fe1c9168a8f8b9663255ae52f034a76f 5615 5614 2017-05-31T09:25:37Z JayFoxRox 2 wikitext text/x-wiki <noinclude><!-- Also getting an optional {{{hash}}} --></noinclude> [[File:Text-x-generic.svg.png|16px]] {{{1}}} ({{{size|Unknown number of}}} bytes}}}) f9b28eefbcd68844f9701bcff902e19b20b3ec97 5616 5615 2017-05-31T09:26:27Z JayFoxRox 2 wikitext text/x-wiki [[File:Text-x-generic.svg.png|16px]] {{{1}}} ({{{size|Unknown number of}}} bytes) <noinclude><!-- Also getting an optional {{{hash}}} --></noinclude> 3e6f42100ad17c8a8a77df3f57198650a4cae465 5617 5616 2017-05-31T09:26:56Z JayFoxRox 2 wikitext text/x-wiki [[File:Text-x-generic.svg.png|16px]] {{{1}}} ({{{size|Unknown number of}}} bytes)<noinclude><!-- Also getting an optional {{{hash}}} --></noinclude> 24622c7f31c0ffae4a96c95358bcfe4a61cdadfc 5618 5617 2017-05-31T09:27:47Z JayFoxRox 2 wikitext text/x-wiki [[File:Text-x-generic.svg.png|16px]] {{{1}}} ''({{{size|Unknown number of}}} bytes)''<noinclude><!-- Also getting an optional {{{hash}}} --></noinclude> f4bab5396a4a278b86ab46ecf7b42705ee86fe2d 5620 5618 2017-05-31T09:55:11Z JayFoxRox 2 wikitext text/x-wiki [[File:Text-x-generic.svg.png|16px]] {{{1}}} ''({{{size|Unknown number of}}} bytes)'' ^{<abbr title="{{{hash}}}">#</abbr>}<noinclude><!-- Also getting an optional {{{hash}}} --></noinclude> 8ed0664b9fe98d6fc42ca9e090a37c2c4098fa21 5621 5620 2017-05-31T09:56:33Z JayFoxRox 2 wikitext text/x-wiki [[File:Text-x-generic.svg.png|16px]] {{{1}}} ''({{{size|Unknown number of}}} bytes)'' ^{^{{{hash}}}}<noinclude><!-- Also getting an optional {{{hash}}} --></noinclude> e20ea0186080e5a865fe3eadf72b71f6b45d132a 5622 5621 2017-05-31T09:57:53Z JayFoxRox 2 wikitext text/x-wiki [[File:Text-x-generic.svg.png|16px]] {{{1}}} ''({{{size|Unknown number of}}} bytes)'' ^{{{hash|}}}<noinclude><!-- Also getting an optional {{{hash}}} --></noinclude> 0d64a69a1f76683b342a2133f741ff120b57d4b2 0 3780 5599 2017-05-31T08:54:23Z Espes 2484 Created page with "Retrieved from [https://web.archive.org/web/20100617023052/http://www.xbox-linux.org/wiki/Xbox_Hard_Drive_Locking_Mechanism] by ''SpeedBump'' (original version: 13 August 2..." wikitext text/x-wiki Retrieved from [https://web.archive.org/web/20100617023052/http://www.xbox-linux.org/wiki/Xbox_Hard_Drive_Locking_Mechanism] by ''SpeedBump'' (original version: 13 August 2002) The hard drive in the MS Xbox(tm) is a standard ide drive, which implements a rarely used security feature to restrict access to its data. This document will describe in full the security features, and the algorithms required to access the data on an xbox drive. ==The IDE (ATA) commands== The ATA spec defines a feature subset which allows for the user to limit access to the drive's data behind a hardware implemented locking mechanism. There are several commands in the SECURITY feature subset, but the command of most interest is the SECURITY_UNLOCK command. SECURITY_UNLOCK requires that the user provide one of two 32 byte passwords, either a user or master password. The Xbox uses the user password. Details on the data formats and timings for the data to be sent to the ide drive can be found in the ata specs (see [[https://web.archive.org/web/20100617023052/http://www.t13.org/]]). ==The password== The drive password is generated in two distinct phases. The first phase extracts a key (referred to as the HDKey) from the eeprom data on the Xbox. The HDKey is unique to each Xbox making this first phase dependant only on the Xbox eeprom of the unit. The second phase uses this HDKey to generate a password which is specific to the drive being unlocked (keyed to the model and serial numbers of the drive). ==Drive Data== During the second phase, the serial and model numbers are needed. These values are available in the response data from the DEVICE_IDENTITY ata command. However, the data needs to be properly reorganized. It is read in big endian words, and needs to be byte swapped first to get the byte ordering correct. Then, starting from the end of the data (serial == 20 bytes, model == 40 bytes) ignore ASCII spaces (byte value of 0x20) at the end of the data. Zeros are *not* trimmed, *only* spaces. Do not be fooled into believing that this data is a string. On some drives this is the case, but on others there are non-ascii values in the fields. ==Basic Security algorithms== There are two primary crytography routines needed when generating an XBox drive password, SHA1 and RC4. SHA1 is a hashing algorithm. It's primary purpose is to take an input message and create a (relatively) small signature (called a digest) which is unique to the original message. One of the goals of SHA1 is to make it difficult to alter the input message in such a way as to result in the same output digest. RC4 is a symmetric cipher. This means that the algorithm for encryption is the same as that for decryption. The purpose is to make one key work in both directions. There is an algorithm called HMAC which uses a hashing algorithm (in this case SHA1) to generate a cryptographically "strong" signature. I'm sure there is a mathematical basis for this, but I'm not willing to try to understand it&nbsp;:) ==The Password Algorithm== (some syntax notes, key data is shown entering functions from the side, data is shown entring from above or below, in order of presentation from left to right) <pre> RC4_key &gt;--(second)--&gt;--, /|\ | | | .-&lt;--|__eeprom_key__|--&gt;-----------&gt; HMAC_SHA1 | | /|\ | | | | | .---&gt;-----------' | | | | | eeprom_data = |__data_hash___|__enc_conf__|__enc_data__| | | | | | | | | \|/ | | | | rc4_decrypt &lt;----|---------&lt;| | | | | | | \|/ | | | | (must be equal) | \|/ | | /|\ | rc4_decrypt &lt;---' | | | | | | \|/ \|/ | | |_confounder_|____data____| | | / / | | | / / | | | / / | | | / / | | | \|/ / \|/ `---&gt;-----------------&gt; HMAC_SHA1 / |__HDKey__|__| /|\ / | \______/ | | .-------------------------&lt;--------' | | model_number serial_number | \ / | \ / `---&gt;-----------------&gt; HMAC_SHA1 | \|/ HD_password </pre> <br /> This seems to be the easiest way to show the required calculations. Basically there are several intermediate steps. First, generate the RC4_key from the eeprom_key and the data_hash (first 20 bytes of eeprom_data). Use the RC4_key to decrypt the encrypted confounder (8 bytes 20 bytes into eeprom_data) and the encrypted data (20 bytes 28 bytes into eeprom_data). Now generate an HMAC_SHA1 hash from the eeprom_key and the decrypted confounder and data. Verify that this hash matches the data_hash stored in the eeprom. If they don't match then the eeprom data is not correct. If the hashes match then the first 16 bytes of the decrypted data field is the HDKey. Once you have the HDKey get the model number and serial number from the ide drive. Generate an HMAC_SHA1 hash from the HDKey, model and serial numbers. The resulting 20 bytes are the HD password. The remaining 12 bytes needed for the password are zeros. ==Remaining Questions== The algorithm is well known, however it is dependant on the eeprom_key. It would be ideal if this key could be compiled into a driver to perform the generation and the unlocking. However noone appears to be able to answer the question of legality. Is it legal to privide the eeprom key? Either way, the drive can be unlocked. The ability to distribute the key will only help people use the drive outside the xbox (plus make it simpler to unlock the drive in the xbox). 8d88176917174a02ce6d6516eba740b63973c7b8 5626 5599 2017-05-31T10:01:34Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617023052/http://www.xbox-linux.org/wiki/Xbox_Hard_Drive_Locking_Mechanism}} by ''SpeedBump'' (original version: 13 August 2002) The hard drive in the MS Xbox(tm) is a standard ide drive, which implements a rarely used security feature to restrict access to its data. This document will describe in full the security features, and the algorithms required to access the data on an xbox drive. ==The IDE (ATA) commands== The ATA spec defines a feature subset which allows for the user to limit access to the drive's data behind a hardware implemented locking mechanism. There are several commands in the SECURITY feature subset, but the command of most interest is the SECURITY_UNLOCK command. SECURITY_UNLOCK requires that the user provide one of two 32 byte passwords, either a user or master password. The Xbox uses the user password. Details on the data formats and timings for the data to be sent to the ide drive can be found in the ata specs (see [[https://web.archive.org/web/20100617023052/http://www.t13.org/]]). ==The password== The drive password is generated in two distinct phases. The first phase extracts a key (referred to as the HDKey) from the eeprom data on the Xbox. The HDKey is unique to each Xbox making this first phase dependant only on the Xbox eeprom of the unit. The second phase uses this HDKey to generate a password which is specific to the drive being unlocked (keyed to the model and serial numbers of the drive). ==Drive Data== During the second phase, the serial and model numbers are needed. These values are available in the response data from the DEVICE_IDENTITY ata command. However, the data needs to be properly reorganized. It is read in big endian words, and needs to be byte swapped first to get the byte ordering correct. Then, starting from the end of the data (serial == 20 bytes, model == 40 bytes) ignore ASCII spaces (byte value of 0x20) at the end of the data. Zeros are *not* trimmed, *only* spaces. Do not be fooled into believing that this data is a string. On some drives this is the case, but on others there are non-ascii values in the fields. ==Basic Security algorithms== There are two primary crytography routines needed when generating an XBox drive password, SHA1 and RC4. SHA1 is a hashing algorithm. It's primary purpose is to take an input message and create a (relatively) small signature (called a digest) which is unique to the original message. One of the goals of SHA1 is to make it difficult to alter the input message in such a way as to result in the same output digest. RC4 is a symmetric cipher. This means that the algorithm for encryption is the same as that for decryption. The purpose is to make one key work in both directions. There is an algorithm called HMAC which uses a hashing algorithm (in this case SHA1) to generate a cryptographically "strong" signature. I'm sure there is a mathematical basis for this, but I'm not willing to try to understand it&nbsp;:) ==The Password Algorithm== (some syntax notes, key data is shown entering functions from the side, data is shown entring from above or below, in order of presentation from left to right) <pre> RC4_key &gt;--(second)--&gt;--, /|\ | | | .-&lt;--|__eeprom_key__|--&gt;-----------&gt; HMAC_SHA1 | | /|\ | | | | | .---&gt;-----------' | | | | | eeprom_data = |__data_hash___|__enc_conf__|__enc_data__| | | | | | | | | \|/ | | | | rc4_decrypt &lt;----|---------&lt;| | | | | | | \|/ | | | | (must be equal) | \|/ | | /|\ | rc4_decrypt &lt;---' | | | | | | \|/ \|/ | | |_confounder_|____data____| | | / / | | | / / | | | / / | | | / / | | | \|/ / \|/ `---&gt;-----------------&gt; HMAC_SHA1 / |__HDKey__|__| /|\ / | \______/ | | .-------------------------&lt;--------' | | model_number serial_number | \ / | \ / `---&gt;-----------------&gt; HMAC_SHA1 | \|/ HD_password </pre> <br /> This seems to be the easiest way to show the required calculations. Basically there are several intermediate steps. First, generate the RC4_key from the eeprom_key and the data_hash (first 20 bytes of eeprom_data). Use the RC4_key to decrypt the encrypted confounder (8 bytes 20 bytes into eeprom_data) and the encrypted data (20 bytes 28 bytes into eeprom_data). Now generate an HMAC_SHA1 hash from the eeprom_key and the decrypted confounder and data. Verify that this hash matches the data_hash stored in the eeprom. If they don't match then the eeprom data is not correct. If the hashes match then the first 16 bytes of the decrypted data field is the HDKey. Once you have the HDKey get the model number and serial number from the ide drive. Generate an HMAC_SHA1 hash from the HDKey, model and serial numbers. The resulting 20 bytes are the HD password. The remaining 12 bytes needed for the password are zeros. ==Remaining Questions== The algorithm is well known, however it is dependant on the eeprom_key. It would be ideal if this key could be compiled into a driver to perform the generation and the unlocking. However noone appears to be able to answer the question of legality. Is it legal to privide the eeprom key? Either way, the drive can be unlocked. The ability to distribute the key will only help people use the drive outside the xbox (plus make it simpler to unlock the drive in the xbox). d29a82aedb52c1ed0af04946c879d5ecb9d510dc 0 3781 5600 2017-05-31T08:57:09Z Espes 2484 Created page with "Retrieved from [https://web.archive.org/web/20100617003620/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System] by [https://web.archive.or..." wikitext text/x-wiki Retrieved from [https://web.archive.org/web/20100617003620/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System] by [https://web.archive.org/web/20100617003620/http://www.xbox-linux.org/wiki/User:Michael_Steil Michael Steil] {| class="wikitable" |- | This [https://web.archive.org/web/20100617003620/http://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf paper], dated 2005-10-25, has been submitted to the [https://web.archive.org/web/20100617003620/http://events.ccc.de/congress/2005/ 22nd Chaos Communication Congress] and has been on [https://web.archive.org/web/20100617003620/http://events.ccc.de/congress/2005/fahrplan/events/559.en.html December 29th 2005, 18:00], at the Berliner Congress Center, Berlin, Germany. A '''recording''' of the presentation is available here: [https://web.archive.org/web/20100617003620/http://video.google.com/videoplay?docid=-749497642180741726 Google Video: Team Xbox-Linux at 22C3]. '''Another recording''' of a slightly updated talk is available here: [https://web.archive.org/web/20100617003620/http://video.google.com/videoplay?docid=-4356347903120410001 Google Video: Deconstructing The Xbox Security System] |} == Introduction == The Xbox is a gaming console, which has been introduced by Microsoft Corporation in late 2001 and competed with the Sony Playstation 2 and the Nintendo GameCube. Microsoft wanted to prevent the Xbox from being used with copied games, unofficial applications and alternative operating systems, and therefore designed and implemented a security system for this purpose. This article is about the security system of the Xbox and the mistakes Microsoft made. It will not explain basic concepts like buffer exploits, and it will not explain how to construct an effective security system, but it will explain how ''not'' to do it: This article is about how easy it is to make terrible mistakes and how easily people seem to overestimate their skills. So this article is also about how to avoid the most common mistakes. For every security concept, this article will first explain the design from Microsoft's perspective, and then describe the hackers' efforts to break the security. If the reader finds the mistakes in the design, this proves that Microsoft has weak developers. If, on the other hand, the reader doesn't find the mistakes, this proves that constructing a security system is indeed hard. === The Xbox Hardware === Because Microsoft had a very tight time frame for the development of the Xbox, they used off-the-shelf PC hardware and their Windows and DirectX technologies as the basis of the console. The Xbox consists of a Pentium III Celeron mobile 733 MHz CPU, 64 MB of RAM, a GeForce 3 MX with TV out, a 10 GB IDE hard disk, an IDE DVD drive, Fast Ethernet, as well as USB for the gamepads. It runs a simplified Windows 2000 kernel, and the games include adapted versions of Win32, libc and DirectX statically linked to them. Although this sounds a lot more like a PC than, for example, a GameCube with its PowerPC processor, custom optical drive and custom gamepad connectors, it is important to point out that, from a hardware point of view, the Xbox shares ''all'' properties of a PC: It has LPC, PCI and AGP busses, it has IDE drives, it has a Northbridge and a Southbridge, and it includes all the legacy PC features such as the "PIC" interrupt controller, the "PIT" timer and the A20 gate. nVidia sold a slightly modified Southbridge and a Northbridge with another graphics core embedded for the PC market as the "nForce" chipset between 2001 and 2002. === Motivation for the Security System === The Xbox being a PC, it should be trivial to install Linux on it in order to have a cheap and, for that time, powerful PC. Even today, a small and silent 733 MHz PC with TV connectivity for 149 USD/EUR is still attractive. But this is not the only thing Microsoft wanted to prevent. There are three uses that should not have been possible: * '''Linux''': The hardware is subsidized and money is gained with the games, therefore people should not be able to buy an Xbox without the intent to buy any games. Microsoft apparently feels that allowing the Xbox to be used as a (Linux) computer would be too expensive for them. * '''Homebrew/Unlicensed''': Microsoft wants the software monopoly on the Xbox platform. Nobody should be able to publish unlicensed software, because Microsoft wants to gain money with the games to amortize the hardware losses, and because they do not want anyone to release non-Internet Explorer browsers and non-Windows Media Player multimedia software. * '''Copies''': Obviously it is important to Microsoft that it is not possible to run copied games on the Xbox. Microsoft decided to design a single security system that was supposed to make Linux, homebrew/unlicensed software and copies impossible. The idea to accomplish this was by simply locking out all software that is either not on the intended (original) medium or not by Microsoft. On the one hand, this idea makes the security system easier and there are less possible points off attack. But on the other hand, 3 times more attackers have a single security system to hack: Although Open Source and Linux people, homebrew developers, game companies as well as crackers have little common interests, they could unite in this case and jointly hack the Xbox security system. Of the three consoles of its generation, Xbox, Playstation 2 and GameCube, the Xbox is the one whose security system has been compromised first, the one that is now easiest to modify for a hobbyist, the one with the most security system workarounds, and the one with the most powerful hacks. This may be, because the Xbox security is the weakest one of the three, but also because Open Source people, homebrew people and crackers attacked the Xbox, while the Open Source people did not attack the Playstation 2, as Linux had been officially supported by Sony, so the total number of hackers was lower, buying them time. === Idea of the Security System === In order to allow only licensed and authentic code to run, it is necessary to build a TCPA/Palladium-like chain of trust, which reaches from system boot to the actual execution of the game. The first link is from the CPU to the code in ROM, which includes the Windows kernel, and the second link is from the kernel to the game. There are several reasons that the operating system is contained in ROM (256 KB) instead of being stored on hard disk, like on a PC. First, it allows a faster startup, as the kernel can initialize while the hard disk is spinning up, furthermore, there is one link less in the chain of trust, and in case verification of the kernel gets compromised, it is harder to overwrite a ROM chip than modify data on a hard disk. == Startup Security == When turned on, x86-compatible CPUs start at the address 0xFFFFFFF0 in the address space, which is usually flash memory. For the Xbox, this is obviously no good idea, as flash memory can be * replaced, by removing the chip, fitting a socket and inserting a replacement chip. * overridden, by adding another flash memory chip to the LPC bus. This override functionality is necessary, because during manufacturing, an empty flash memory chip gets soldered onto the board, an override LPC ROM chip gets connected to the board and the system boots from the external ROM, which then programs the internal flash memory. This procedure is significantly cheaper than preprogramming the flash memory chips. * reprogrammed, because flash memory can be written to many times. It would be possible to use ROM instead of flash memory, but ROM is more expensive than flash memory. Thus, the machine must not start from flash memory. === Microsoft's Perspective === It would be possible to make two of the attacks impossible, by using ROM chips instead of flash. There would be no way to reprogram them, and it would be possible to disable the LPC override functionality in the chipset, because it is not needed for the manufacturing process any more. ==== The Hidden ROM ==== There is a solution between flash memory and ROM that combines advantages of both these approaches. This trick is rather old and had already been used in previous gaming consoles like the Nintendo 64: Use a tiny non-replaceable startup ROM, and put the bulk of the firmware data (i.e. the Windows kernel) into flash memory. The "internal" ROM checks whether the contents of the flash memory are authentic, and if yes, it passes execution to it. This way, there will be another link in the chain of trust, but the ROM code can be trusted (if it is non-replaceable), and if, in addition, it is non-accessible, an attacker may not even have a clue how verification works. ==== Location of the ROM ==== But where can this ROM be put? It cannot be a separate chip, as it would be replaceable. It would have to be included into another chip. The CPU would be ideal, as the ROM contents would not travel over any visible bus, but then it would be impossible to use cheap off-the-shelf Celerons. Including it in any other chip would make it non-replaceable, but data would travel over a bus. It seems to be a good compromise to store the ROM data in the Southbridge ("MCPX"), as it is connected via the ''very'' fast HyperTransport bus, so it is very hard to sniff. A former Microsoft employee confirmed that the developers tought that nobody was able to sniff HyperTransport. ==== Verification Algorithm ==== This secret ROM stored in the Southbridge must verify the Windows kernel in the external flash memory before executing it. One idea would be to checksum (hash) the flash contents using an algorithm like MD5 or SHA-1, but this would mean that the hash of the kernel has to be stored in the secret ROM as well, which would make it imposible to ship updated versions of the kernel in future Xboxes without also updating the ROM contents - which would be very expensive. A digital signature algorithm like RSA would be better: It would be possible to update the kernel without changing the ROM, but an RSA implementation takes up a lot of space, and embedded ROM in the Southbridge is expensive. It would be ideal if the algorithm fit in only 512 bytes, which is impossible for RSA. ==== Second Bootloader ("2bl") ==== A solution for this problem is again to introduce another link in the chain of trust: The ROM only hashes a small loader ("2bl", "second bootloader") in flash memory, which can never be changed. It is then the job of this loader to verify the rest of flash, and as the second loader can be any size, there are no restrictions. So the final chain of trust looks like this: The CPU boots from the secret ROM embedded into the Southbridge, which cannot be changed. The secret ROM verifies the second bootloader in flash memory using a hash algorithm, and if it is authentic, runs it. The second bootloader checks the kernel, and if authentic, runs it. Now the second bootloader and the Windows kernel would be stored in flash memory in plain text, which is a bad idea: An attacker can immediately see how the second bootloader verifies the integrity of the kernel, and even analyze the complex kernel for possible exploits. Encrypting all the flash contents will not solve possible vulnerability problems, but it will buy us time until the decryption of the flash contents is understood by hackers. The decryption key would have to be stored in the secret ROM, and the 2bl verification code would also have to decrypt the flash contents into RAM while reading it. ==== RAM Initialization ==== Decrypting flash memory contents into RAM is a challenge if we are living inside the first few hundred bytes of code after the machine has started up: At this point, RAM might not be stable yet. The reason for this is that Microsoft bought cheap RAM chips; they just took everything Samsung could give them to lower the price, even faulty ones, i.e. chips that will be unstable when clocked at the highest frequencies specified. The Xbox is supposed to find out the highest clock speed the RAM chips can go and run them at this frequency - this is the reason why some games don't run as smoothly on some Xboxes as on others. So the startup code in the secret ROM has to do a memory test, and if it fails, clock down the RAM, do another memory test, and if it fails again, clock down again, and so on, until the test succeeds or the RAM cannot be clocked down any further. The problem now is that it is impossible to do complex RAM initialization, data decryption and hashing in 512 bytes. This code would need at least 2 KB, which would be significantly more expensive, if embedded into the Southbridge. We could put the RAM initialization code, which is the biggest part of what the startup code needs to do, into flash memory, and call it from the secret ROM, but this would kill security, as an attacker could easily see the unencrypted code in flash, modify it and have the control of the machine right at the startup. The developers at Microsoft had a brilliant idea how to solve this problem: They designed an interpreter for a virtual machine that can read and write memory, access the PCI config space, do "AND" and "OR" calculations, jump conditionally etc. The instruction code has one byte instructions and two 32 bit operands, it can use immediate values as well as an accumulator. The interpreter for the virtual machine is stored in the secret ROM, and its code ("xcodes") is stored in flash memory. This code does the memory initialization (plus extra hardware initialization, which would not be necessary). This program cannot be encrypted, as there is again no space for it in the secret ROM, but as the virtual machine is unknown to the hacker, encryption should not be that important. It also cannot be hashed, as this would make it impossible to change the xcodes for later revisions of the Xbox hardware. Therefore we have to make sure that, if the hacker knows how the virtual machine works, it is impossible to do anything malicious with the xcodes. ==== The Virtual Machine ==== There are several ways an attacker could exploit the xcodes, which are by definition untrusted, because they reside in "external" flash memory. Microsoft included some code to make sure there were no possible exploits. ===== Read the Secret ROM ===== The xcodes can read memory and access I/O ports. This way an attacker could place xcodes into flash memory that dump the secret ROM, which must be mapped into the address space somewhere, to a slow bus, like the LPC or the I2C bus, or write it into CMOS or the EEPROM, so that we can read it later. The xcode interpreter has to make sure that the xcodes cannot read the secret ROM, which is located at the upper 512 bytes of the address space. The simplest way to accomplish this is to mask the address when reading from memory: <pre> and ebx, 0FFFFFFFh &nbsp;; clear upper 4 bits mov edi, [ebx] &nbsp;; read from memory location op1 into di jmp next_instruction </pre> This way, the xcodes can only ready from the lower 256 MB, which is no problem, as there are only 64 MB of RAM, and memory mapped I/O can be mapped into this region using PCI config cycles. ===== Turn off the Secret ROM ===== The xcodes may also not turn off the secret ROM, or else the CPU, while executing the xcode interpreter, would "fall down" from the secret ROM into the underlying flash ROM, which is also mapped to the top end of the address space. The turn off functionality is important: As soon as the second bootloader takes over, the secret ROM has to be turned off, or else an attack against a game, which makes it possible to run arbitrary code, could dump the secret ROM, making additional attacks against it possible. The secret ROM can be turned off by writing a value with bit #1 set to the PCI config space of device 0:1:0, register 0x80. So the xcode interpreter always clears this bit in case there is a write to this PCI config space register: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> ==== Encryption and Hashing ==== For the decryption of the second bootloader, Microsoft chose the RC4 algorithm, which is pretty small, as it fits into 150 bytes. It uses a 16 bytes key, which is also stored in the secret ROM. Microsoft's engineers also chose to use RC4 as a hash, so that no additional algorithm had to be implemented for this. Differential decryption algorithms feed the decrypted data into the generator of the decryption key stream, so if the encrypted code is changed at one byte, all the following bytes will decrypted incorrectly, up to the last bytes. This way, it is possible to only test the last few bytes. If they have been decrypted correctly, then the encrypted code has been authentic. (If you are getting suspicious now - read on!) In practice, the secret ROM in the Xbox compares the last decrypted 32 bit value with the constant of 0x7854794A. If it is incorrect, the Xbox has to panic. ==== Panic Code ==== So far, the code in the secret ROM does this: * Enter protected mode, and set up segment descriptors, so that we have access to the complete flat 32 bit address space. * Interpret the xcodes. * Decrypt and hash the second bootloader, store it in RAM * If the hash is correct, jump to the decrypted second bootloader in RAM, else panic. There is another possible attack here: A hacker could deliberately make the hash fail. If the Xbox then halts and flashes its lights to indicate an error, the attacker can attach a device to dump the secret ROM after the CPU has shut down and the bus is idle. Although HyperTransport is fast, it would be a lot easier to attach a device that actively requests the data from the Southbridge than sniffing it when the CPU requests it. One solution would be not to halt but to shut down the Xbox in case of a problem. The support chips have this functionality. But incorrect flash memory does not necessarily mean that there has been an attack, it could also be a malfunction, and the machine should use the LED to blink an error code. So we should leave the Xbox running, but just turn off the secret ROM, so that it cannot be read any more. But there is a problem: We have to do this inside the secret ROM. So if we disable the ROM, we cannot have the "hlt" instruction after that, because the CPU will "fall down" into flash memory - where an attacker could put code. On the other hand, if we halt the CPU, we cannot turn off the secret ROM afterwards. We cannot put the disable and halt code into RAM and jump there, because RAM might not be stable, and might even have been tampered with by an attacker (e.g. by turning off the memory controller using the xcodes) so that the secret ROM does not get turned off. We cannot put the disable and halt code into flash either, as again, an attacker could simply put arbitrary code to circumvent the complete system there. The Microsoft engineers used yet another brilliant trick: They jump to the very end of the address space (which is covered by the secret ROM) and turn off the secret ROM in the very last instruction inside the address space. This is a simplified version of the idea: <pre>FFFFFFF1 mov eax, 80000880h FFFFFFF6 mov dx, 0CF8h FFFFFFF9 out dx, eax FFFFFFFB add dl, 4 FFFFFFFC mov al, 2 FFFFFFFE out dx, al </pre> After the last instruction, the program counter (EIP) will overflow to 00000000, which, according to the CPU documentation, causes an exception, and as there is no exception handler set up, it causes a double fault, which will effectively halt the machine. === The Hacker Perspective === So much for the theory. The design looked pretty good, although the trade off between cost and security as it has been decided, might give some people headaches. Let us now have a look at the Xbox from the hackers' point of view. It has been well known that the Xbox chipset is a modified version of nVidia's nForce chipset, so we knew that it was standard IDE, USB, there was an internal PCI bus and so on. Two hackers from Great Britain, Luke and Andy, checked the hard disk and found out that it uses a custom partitioning scheme, a FAT-like filesystem, that there is no kernel on the hard disk, but there is the Xbox Dashboard on the fourth partition, the main program that gets executed if there is no game in the DVD drive, which allows changing settings, playing audio CDs and managing savegames. ==== Extracting the Secret ROM ==== Andrew "bunnie" Huang, then a PhD student at the MIT, disassembled his Xbox, saw the flash memory, de-soldered it, extracted the contents, put it on his website and got a phone call from one of Microsoft's lawyers. The flash memory image was obviously encrypted, but there was x86 binary code in the upper 512 bytes! Obviously, there should be no code in the upper 512 bytes, as this gets overridden by the secret ROM, which contains the actual machine setup and flash decryption code. Bunnie found out that this code was an interpreter for tables in flash memory, plus a decryption function that looked like RC4. He rewrote the crypto code in C and tried it on the data - but the resulting data was random, obviously something was wrong. The interpreter didn't make much sense either. The code used opcodes that were unknown to the interpreter. In order to find out what was wrong, bunnie rewrote the top of flash with his own code, and later even completely erased the upper 512 bytes, but the Xbox still booted! So it was obvious to him that this region gets overridden by some internal code. As it turned out later, the code in the upper 512 bytes of the flash image was a very old version of the secret ROM code, which had been unintentionally linked to the image by the build tools. It seems like nobody had looked at the resulting image at the end, before they shipped the consoles. This mistake was very close to a fatal one, and Microsoft was lucky that they didn't link the actual version of the secret ROM. But it didn't make that much of a difference, as bunnie sniffed the busses, and eventually dumped the complete secret ROM, including the RC4 key from HyperTransport, using a custom built sniffer - after all, he was working on his PhD degree about high performance computing, and he could use the excellent resources of the MIT hardware lab. When he published his findings, other people found out quite quickly that the validity check did nothing at all: The combination of decryption and hash with a cypher that feeds back the decrypted data into the key stream is a good idea, but unfortunately, RC4 is no such cypher. It decrypts bytes independently, so if one byte is wrong, all the following bytes will still be decrypted correctly. So checking the last four bytes has no effect: There is no hash. It turned out that the cypher used in the old version of the secret ROM as found in flash memory used the RC5 cypher. In contrast to RC4, RC5 does feed the decrypted stream back into the key stream. So they seem to have replaced RC5 with RC4 without understanding that RC4 cannot be used as a hash. Bunnie's theory why they abandoned RC5 is that RC5 was still a work in progress, and that Microsoft wasn't supposed to have it, so they went for the closest relative - RC4. ==== Modchips ==== Now that the encryption key was known and there was effectively no hash over the second bootloader, it was possible to patch this code: People added code to the second bootloader to patch the kernel after decryption (and decompression) to accept executables even if on the wrong media (DVD-R instead of original) or if the RSA signature of the executables was broken (i.e. unsigned homebrew software). Modchips appeared: Some of them had a complete replacement flash memory chip on them, others only patches a few bytes and passed most reads down to the original flash chip. All these modchips had to be soldered in parallel to the original flash chip, using 31 wires. Now other people found out that, if the flash chip is completely missing, the Xbox wants to read from a (non-existant) ROM chip connected to the (serial) LPC bus. This is of course because of the manufacturing process: As it has been explained before, the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip. Modchip makers soon developed chips that only needed 9 wires and connected to the LPC bus. It was enough to ground the data line D0 to make the Xbox think that flash memory is empty. Lots of these "cheapermods" appeared, as they only consisted of a single serial flash memory chip. They could be installed within minutes, especially after some companies started shipping chips that used pogo pins, so that no soldering was required. Some groups wrote applications like boot menus that made it possible to copy games to hard disk and run them from there. Patched Xbox kernels appeared that supported bigger hard disks. Making the Xbox run copies from DVD-R or hard disk as well as homebrew applications written with the official Xbox SDK was now easy. ==== Backdoors ==== The Xbox Linux Project was working on two ways to start Linux: Either run the Linux kernel from a CD/DVD as if it was a game, or run it directly from flash memory, or from HD/DVD using a Linux bootloader in flash memory, so that the Xbox behaved like a PC. For the latter, Xbox Linux was working on a replacement firmware. It would have been no problem to write a replacement firmware that took over execution instead of the second bootloader, as it was possible to completely replace this second bootloader, as well as encrypt it, using the well-known key from the secret ROM. But the firmware developers felt very uncomfortable with the idea of using this secret key in their GPL code. Other hackers felt the same, and thus were looking for bugs and backdoors in the secret ROM code, in order to find a way to be able to implement a replacement firmware without having to deal with encryption. ===== The Visor Backdoor ===== A hacker named visor, who never revealed his real name, wondered whether the rollover to 00000000 in case of an incorrect 2bl "hash" really caused a double fault and halted the CPU. He used the xcodes to write the assembly instruction for "jmp 0xFFFF0000" to the memory location 00000000 in RAM and changed the last four bytes in 2bl, in order to make the secret ROM run the panic code. The Xbox happily continued executing code at 00000000 and took the jump into flash. When appending these instructions to the existing xcodes, he could make sure that RAM had been properly initialized and was thus stable. So there was no need to encrypt the Xbox Linux bootloader firmware with the secret key any more. It was enough to add the memory write instruction to the end of the xcodes and make sure that 2bl decryption fails - which will automatically happen, if the firmware replacement does not contain the 2bl code. Now why is there no double fault? Hackers from the Xbox Linux team checked with AMD employees and they explained that AMD CPUs ''do'' throw an exception in case of EIP overflows, but Intel CPUs don't. The reason that Intel CPUs don't is because of... 1970s stuff. Execution on x86 CPUs starts at the top of the address space (minus 16 bytes), but some computer makers wanted to have their ROM at the bottom of the address space, i.e. at 0, so Intel implemented the instruction with the encoding 0xFFFF, which is what you get when reading from addresses not connected to any chip, as a No-Operation ("nop") and made the CPU throw no exception in case of the address space wraparound. This way, the CPU would "nop" its way up to the top, and finally execute the code at 0. AMD did not implement this behavior, as it had not been necessary any more by the time AMD entered the x86 market with it own designs, and because they felt that this behavior was a security risk and fixing it would not mean a significant incompatibility. But why did Microsoft do it wrong? This can be explained with the history of the Xbox: AMD offered to design and manufacture both the CPU and the motherboard (including the chipset), and nVidia was contracted to contribute the graphics hardware. The first developer systems, even outside of Microsoft, were Athlon-based, but then Intel came in and offered their chips for less money, as well as the complementary redesign of the existing AMD chipset to work with their CPU. Consequently, nVidia licensed the AMD chipset so that the AMD name vanished. This also means, that nVidia nForce chipset is essentially AMD technology, closely related to the AMD-760 chipset. So when Microsoft switched from AMD to Intel, they apparently forgot to test their security code again with the new hardware, or to read the Intel datasheets. ===== The MIST Hack ===== Soon after the visor hack, another vulnerability was found in the secret ROM code, attacking the code that checks whether an xcode wants to disable the secret ROM. Let us look at this code again: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> The PCI config address is stored in the EBX register in the beginning. This address has to be sent to I/O port 0x0CF8, and the 32 bit data has to be sent to I/O port 0x0CFC. The address is encoded like this: <pre>0-7 reg 8-10 func 11-15 device 16-23 bus 24-30 reserved 31 always 1 </pre> The attack is pretty obvoius: there are seven reserved bits in the address, and the code tests for a single exact value. What happens if we write to an alias of the same address, by using an address with only some of the bits 24 to 30 changed? While the instruction <pre>POKEPCI(80000880h, 2) </pre> will be caught, the instruction <pre>POKEPCI(C0000880h, 2) </pre> will not be caught - and works just as well, because the PCI bus controller just ignores the unused bits. This instruction disables the secret ROM, that is, the interpreter disables itself when sending the value to port 0x0CFC, and the CPU falls down to flash memory. We can put a "landing zone" into flash, by filling all of the top 512 bytes with "nop" instructions, and putting a jump to the beginning of flash into the last instruction, so that we do not have to care where exactly the CPU lands after falling down, and we are independent of possibly hard to reproduce caching effects. It is hard to find a good reason for this bug other than carelessness. It might be attributed to not reading the documentation closely enough, as well as not looking at it from the perspective of a hacker well enough. After all, this code had been written with a specific attack in mind - but the code made hacking easier, by giving hackers a hint how to attack. ===== Another PCI Config Space Attack ===== There is a second sequence of xcode instructions that can disable the secret ROM just as well, which are not caught by the interpreter: The interpreter supports writing bytes to I/O ports, so it is possible to put together the code to disable the secret ROM using 8 bit I/O writes: <pre>OUTB(0xcf8), 0x80 OUTB(0xcf9), 0x08 OUTB(0xcfa), 0x00 OUTB(0xcfb), 0x80 OUTB(0xcfc), 0x02 </pre> This hack has been unreleased until now. It has been found not long after the MIST hack, but kept secret, in case Microsoft fixed the MIST bug. In the meantime, they have implemented a fix that makes all hacks impossible that are based on turning off the secret ROM. This will be described in detail later. ===== More Ideas ===== There have been more ideas, but few of them have been pursued, as long as other existing backdoor existed. One possible idea is to base a hack on caching... == Startup Security, Take Two == When bunnie hacked the secret ROM, Microsoft reacted by updating the ROM. Thousands of already manufactured Southbridges were trashed, new ones made. The hacker community called these Xboxes "version 1.1" machines. === Microsoft's Perspective === Microsoft had now understood that RC4 cannot be used as a hash, so they implemented an additional hash algorithm, which was to be executed after decryption. As there were only few bytes left, the hash algorithm had to be tiny - so the "Tiny Encryption Algorithm" ("TEA") was used. Every encryption algorithm can be changed to be used as a hash, and TEA seemed to be a good choice, as it is really small. While they were at it, they also changed the RC4 key in the secret ROM, so that hackers would not be able to decrypt 2bl and the kernel without dumping the new secret ROM. === The Hacker Perspective === The extraction of the secret ROM was done by members of the Xbox Linux Project this time, only days after they got their hands on the new 1.1 boxes, and only two weeks after they first appeared. ==== The A20 Hack ==== To date, Microsoft does not know how the Xbox Linux Project did it. But since there will most probably be no future revisions of the Xbox, as the Xbox 360 has already taken over, we can release this now. Let us start with some PC history. The 8086/8088, the first CPU in the x86 line, was supposed to be as closely compatible to the 8080, which was very successful on the CP/M market. The memory model therefore was similar to the 8080, which could access only 64 KB, by dividing memory into 64 KB blocks. Intel decided that the 8086/8088 could have a maximum of 1 MB of RAM, which would have meant 16 "segments" of 64 KB each. But instead of doing it this way, they decided to let the 64 KB segments overlap, and have 65536 of these segments, starting every 16 bytes. An address was therefore specified by a segment and an offset. The segment would be multiplied by 16, and the offset would be added, to result in the effective address. As an example, 0x0040:0x006C would be 0x40*0x10+0x6C=0x46C. An interesting side effect of this method is that it is possible to have addresses above 1 MB: The segment 0xFFFF starts at the effective address 0xFFFF0, so it should only contain 16 bytes instead of 64 KB. So the address 0xFFFF:0x0010 would be at 1 MB, and 0xFFFF:0xFFFF would be at 1 MB plus roughly 64 KB. The 8086/8088 could not address more than 1 MB, because it only had 20 address lines, so addresses above 0xFFFF:0x000F were wrapped around to the lower 64 KB. But this behavior was different on the 286, which had 24 address lines: It was actually possible to access roughly 64 KB more using this trick, which was later abused by MS-DOS as "high memory". Unfortunately there were some 8086/8088 application that broke, because they required the wraparound for some reason. It wasn't Intel who found that out, but IBM, when they designed the IBM AT, and it was too late to modify the behavior of the 286, so they fixed it themselves, by introducing the A20 Gate ("A20#"). An unused I/O pin in the keyboard controller was attached to the 20th address line, so that software could pull down address line 20 to 0, thus emulating the 8086/8088 behaviour. This feature was later moved into the CPUs, and all Pentiums and Athlons have it - and so does the Xbox. If A20# is triggered, bit 20 of all addresses will be 0. So, for example, an address of 1 MB will be 0 MB, and if the CPU wants to access the top of RAM, it will actually access memory that is 1 MB lower than the top. Keeping this in mind, the attack on the Xbox is pretty straightforward: If we connect the CPU's A20# pin to GND, the Xbox will not start from FFFFFFF0, but from FFEFFFF0 - this is not covered by the secret ROM, but is ordinary flash memory, because flash is mirrored over the upper 16 MB. So by only connecting a single pin, the secret ROM is completely bypassed. What is cool about this, is that the secret ROM is still turned on. So we could easily dump the secret ROM trough one of the low speed busses (we used the I2C bus), by placing a small dump application into flash memory. ==== The TEA Hash ==== After reading Bruce Schneier's book on crypto, we learned that TEA was a really bad choice as a hash. The book says that TEA must never be used as a hash, because it is insecure if used this way. If you flip both bit 16 and 31 of a 32 bit word, the hash will be the same. We could easily patch a jump in the second bootloader so that it would not be recognized. This modified jump lead us directly into flash memory. But why did they make this mistake? Obviously the designers knew nothing about crypto - again! - and just added code without understanding it and without even reading the most basic books on the topic. A possible explanation why they chose TEA would be that they might have searched the internet for a "tiny" encryption algorithm - and got TEA. ==== Visor Backdoor and MIST Hack ==== The Visor Backdoor was still present, so again, for the replacement Linux firmware, the Xbox Linux developers did not have to exploit the crypto code, but could simply use this backdoor. Microsoft obviously released the updated secret ROM much too quickly, just after bunnie dumped it and people saw that RC4 was no hash, but before the visor backdoor had been discovered. The MIST hack had been discovered after the visor bug - but it no longer worked on the Xbox 1.1. Not because they fixed the comparison - they didn't -, but because they changed the address logic: If you accessed the upper 512 bytes of the address space, and the secret ROM was turned off, the Xbox would just crash, thus making all "fall down" hacks impossible. This way they closed both possible attacks, writing to an alias, and using 5 OUTB instructions. Microsoft obviously discovered the turnoff vulnerability themselves, closing at least one backdoor, but keeping another one open, and not really closing a second one. It was too expensive to trash the 1.1 Southbridge chips again for yet another update, so Microsoft still uses these chips in today's Xboxes. === Today === In later revisions of the Xbox, Microsoft removed some pins of the LPC bus, making modchip design harder, but they could not remove the LPC bus altogether, because they needed it during the manufacturing process. In the latest revision of the Xbox hardware (v1.6), they finally switched from flash memory to real ROM - and even integrated the ROM with the video encoder. The LPC bus is not needed for manufacturing any more, as the ROM chips are already preprogrammed. So now it is impossible to replace or to overwrite the kernel image, and because of the missing LPC bus, it also seems impossible to attach a ROM override. But modchips are still possible. The obvious LPC pins are gone now, but the bus is still there. If you find the LPC pins on the board, you can attach a ROM override just as before, the modchips are only a bit harder to install. This is because the Southbridge still has the LPC override functionality, since they did not make a new revision of it - as so often, obviously for monetary reasons. == Xbox Kernel Security == Let us have a look at the chain of trust again: * The CPU starts execution of code stored in the secret ROM. * The secret ROM decrypts and verifies the second bootloader. * The second bootloader decrypts and verifies the Windows kernel. * The Windows kernel checks the allowed media bits and the RSA signature of the game. This last link is a complete software thing, so all the attacks have been pretty much standard. Some people tried to brute force the RSA key used for the game signature - no joke! But what is more likely, successfully brute forcing RSA 2048, or finding a bug in Microsoft's security code? After the experience with the first links of the chain of trust, the Xbox Linux Project focused on finding bugs in the software. We found no bug in the RSA implementation. It is taken straight out of Windows 2000 and looks pretty good. But there are always implicit additional links in the chain of trust: All code reads data, and data can cause security risks if handled incorrectly. === Game Exploits === What data do games load? Graphics data, audio data, video data... - but we cannot alter them, because it is not easily possible to create authentic Xbox DVDs, and the Xbox won't boot originals from DVD-R etc. But most games can load savegames, and these can easily be changed: The Xbox memory units are more or less standard USB storage devices ("USB sticks"), so it is possible to use most USB sticks with the Xbox, and just store hacked savegames on them. Plenty of Xbox games had buffer vulnerabilities in their savegame handlers. It was often as easy as extending the length of strings like the name of the player, and the game would overwrite its stack with our data and eventually jump to the code we embedded in the savegame. The procedure for the user was then to simply copy a hacked savegame from a USB stick onto the Xbox hard disk, run the game and load the savegame. But after a buffer exploit, we would normally only be in user mode - not on the Xbox, as all Xbox games run in kernel mode. The reason for this is probably a slight speed advantage, or, less likely, a simpler environment for the game, but Microsoft tried to make the environment as similar to the Windows/DirectX environment as possible, so user mode would have actually made the environment "simpler" for many Windows/DirectX developers. Now that we have full control of the machine, we can overwrite the flash memory chip. It is write protected by default, but disabling the write protection is as easy as soldering a single bridge on the motherboard. After all, this bridge has to be closed temporarily during manufacturing when programming flash memory for the first time. Using this hack, it is possible, only with a USB stick, one of several games (007 Agent Under Fire, MechAssault, Splinter Cell, ...) and a soldering iron, to permanently modify the Xbox, just as if a modchip was installed. Because early Xboxes had a 1 MB flash chip, although only 256 KB had been used, it was even possible to install several ROM images in flash and attach a switch. But the Xbox Linux Project did not blindly release this hack. The first savegame proof of concept exploit had been finished in January 2003. After that, a lot of energy was invested in finding out a way to free the Xbox for homebrew development and Linux, but not allowing game copies. Microsoft was contacted, but without any success. They just ignored the problem. Finally in July, the hack was released, with heavy obfuscation, and lockout code for non-Linux use. It was obvious that this would only slow down the "hacking of the hack", so eventually, people would be able to use this vulnerability for copied games, but since Microsoft showed no interest in finding a solution, there was no other option than full disclosure. The suggestion of the Xbox Linux Project would have been to work together with Microsoft to silently close the security holes and, in return, work on a method to let homebrew and Linux run on the Xbox. === Dashboard Exploits === The problem with the savegame hack was that, if you didn't want to overwrite the flash memory chip, you had to insert the game and load the savegame every time you wanted to run unsigned code. But having full control of the machine using the savegame exploit also meant we could access the hard disk without opening the Xbox. This way, it became interesting to closely examine the hard disk contents for vulnerabilities. The Dashboard is the main program on hard disk, executed every time the Xbox is started without a game in the DVD drive. The dashboard may even be the very reason the Xbox ships with a hard disk: While the settings menu and savegame management on the Nintendo GameCube fit well into 2 MB of ROM, the Xbox Dashboard, which is roughly comparable in its functionality, occupies more than 100 MB. So the original idea why to include a hard disk might have been initiated by the inability to compress the Dashboard into typical ROM sizes - and they might have decided to make the best out of it, and find additional uses for the hard disk. The dashboard loads its data files, like audio and graphics, from hard disk. With the savegame exploit, we can now alter the hard disk contents, even without opening the Xbox. Of course the dashboard executable is signed and can therefore not be altered, and all data files are hashed, with the hashes stored inside the dashboard executable. Well, all files, except for two: the font files. Consequently, there was an integer vulnerability in the font handling routines, so that we could run our own code by replacing the font files. Combined with the savegame exploit, it was as easy as transferring the savegame and loading it, which would run a script that modifies the fonts. Now every time the Xbox is turned on, the Dashboard crashes because of the faulty fonts and runs our code embedded in these files. Our code reloads the Dashboard with the original fonts, hacks it, and runs it. Hacking the Dashboard meant two things: Modifying one menu entry to read "XBOX LINUX" instead of "XBOX LIVE" and running the Linux bootloader instead of the Xbox Live setup executable, and modifying the kernel to accept both applications signed with Microsoft's RSA key as well as those signed with our RSA key, from hard disk and from CD/DVD. We called this "MechInstaller", as it was based on the "MechAssault" savegame exploit. Only accepting code either signed by the original key or by our key, keeping our key secret, and using heavy obfuscation again, meant that nobody could easily abuse this solution for copied games. This hack shows several things: Hackers have phantasy, the combination of flaws can lead to fully compromising the security system, powerful privileged code should be bug-free and security code should really catch ''all'' cases. Oh, and there is another vulnerability, an integer vulnerability in the audio player code. The attack was developed independently of the font attack, but was inferior because it would have required the user to enter the audio player every time to run Linux. ==== Microsoft's Fixes ==== The history of Microsoft's reactions to the font vulnerability is the perfect lesson of how to do it wrong. # After MechInstaller had been released, Microsoft fixed the buffer vulnerability in the Dashboard and distributed this new version over the Xbox Live network and shipped it with new Xboxes. # For the hackers, this was no major problem: It was possible to downgrade the Dashboard of a new Xbox to the vulnerable version. Just run Linux using a savegame exploit, and "dd" the old image. Some people felt downgrading on new Xboxes was not piracy, because after all, Microsoft upgraded Xbox Live users' hard disks to the new version without asking. # As the next step, Microsoft blacklisted the old Dashboard in the new kernel. It was impossible to just "dd" an old Dashboard image onto newer Xboxes. # Still no major problem for hackers: The second executable on the hard disk, "xonlinedash", which is used for Xbox Live configuration, had the same bug, so it was possible to copy the old "xonlinedash" and to rename it to "xboxdash" to make it crash because of the faulty fonts. # Microsoft consequently blacklisted the vulnerable version of "xonlinedash". # Again, no major problem for hackers: All Xbox Live games come with the "dashupdate" application, which adds Xbox Live functionality to the Dashboard for the first Xboxes which came without it. This update application has the same font bug, and it can be run from hard disk. So it is possible to copy the file from any Xbox Live game DVD, rename it to "xboxdash" and let it crash. # Microsoft could not blacklist this one. Xbox Live enabled games run the update application every time they start, making sure the Xbox has the Xbox Live functionality. Blacklisting "dashupdate" would break these games. We won. == The Mistakes that Have Been Made == Microsoft obviously made a lot of mistakes. But it would be too easy to just attribute all these to stupid engineers. There have been good (and different) reasons for most of these mistakes, and one can learn a lot from them. There are 17 kinds of mistakes they made, several of which have been made more than once. I will group the 17 mistake types into three categories: Design mistakes, implementation mistakes and bad policy decisions. === Design === ==== #1: Security vs. Money ==== Be very careful with tradeoffs between security and money. There are rarely sensible compromises. Keep in mind that the very reason for the security system is to make more money, or to prevent money losses. Security systems cannot be "a little better" or "a little worse". Either they are effective - or they are not. By saving money on the security system, you may easily make it not effective at all, not only wasting the money spent on the security system, but also making losses because it is not effective. Microsoft made many compromises. * In-system programming of flash memory is cheaper than preprogramming, but an attacker can also override the firmware with an LPC ROM. * Buying all of Samsung's RAM chips is cheaper than only buying those within the specs, but it made RAM initialization more complex, using up space that could otherwise be used for better security code. * They chose to put the secret ROM into the Southbridge instead of the CPU, because the Southbridge was a custom component anyway and having a custom CPU would have been a lot more expensive, but keys travel over a visible bus if the secret ROM is outside the CPU. * They saved money choosing not to update the Southbridge a second time, which would have fixed the TEA hash and removed the visor backdoor. This would have made modchips virtually impossible. ==== #2: Security vs. Speed ==== Don't trade security for speed. Although it may be true that the product in question must be as fast as possible in order to be able to compete with similar products on the market, remember that in IT, computers aren't slower or faster by some percentage - but by factors! Besides, you might lose more money because of a security system that does not work than because of a product that is 10 percent slower than it could be. Most probably for added speed (one address space, no TLB misses), Microsoft chose to run all code in kernel mode, even games that interacted with untrusted data that came from the outside. This made it possible to have complete control of the machine once a game crashed because of a prepared savegame, including complete control of the hard disk and the possibility of booting another operating system. ==== #3: Combinations of Weaknesses ==== Be aware of the fact that a combination of security flaws can lead to a successful attack. Don't think that a possible security hole (or "only" a security risk) cannot be exploited because there are so many barriers in front of it. Attackers might break all the other barriers that block the vulnerability, and fixing that one hole would have stopped them. MechInstaller is a great example for that. It was only possible because of the combination of several security weaknesses: * The boot process was vulnerable, so we could use a modified kernel to analyze games. * Some games are not careful enough with savegames, so that we can run our own code. * Games run in kernel mode, so we have full control of the hardware. * The Dashboard does not verify the integrity of the font files. * The Dashboard has a vulnerability in the font code. If any of these weaknesses had not been there, then MechInstaller would not have been possible. Also note that hackers have enough fantasy to find out these combinations. ==== #4: Hackers' Resources ==== Understand that hackers may have excellent resources. Hobbyists may use resources from work or from university, and professional attackers can also be very well-equipped. It is a big mistake to underestimate them. So never think you are safe because it would be too much work or too expensive to exploit a weakness. If it is a weakness, it will eventually be exploited. Also understand that hackers may have excellent human resources. Not only in number, but also in qualifications. Microsoft put the secret ROM into the Southbridge instead of the CPU, which meant that the secret key would travel over a visible bus. This is the very fast HyperTransport bus, which, at that time, could not be sniffed using logic analyzers any mortal could afford. But with help of the resources of the MIT and using all of his expertise, bunnie could build his own hardware that could sniff the bus. ==== #5: Barriers and Obstacles ==== Don't make anything "harder for hackers". Instead make it "impossible for hackers", or, if it cannot be made impossible, don't care about it. Because of the potential great number and excellent qualifications of hackers, no obstacle will have any effect or slow down hacking significantly. But instead, in security design, you might make mistake #3, because you think you are safe as there are so many obstacles in the hackers' way. Use the resources you would invest into building obstacles into building or strengthening barriers instead - possibly at a different location. Microsoft built obstacles into the system at many different locations. * Savegames will only be accepted if they are signed, but the private key is of course stored inside the game, so this is no barrier. Instead, they should have made sure the games contain no buffer vulnerabilities in their savegame handlers. * The hard disk is secured with an ATA password, different for every Xbox and stored on an EEPROM inside the Xbox, but an attacker can just "hotswap" an unlocked hard disk from a running Xbox to a running PC. Instead, they should have put that energy into verifying whether the Dashboard really hashes all data it reads from the hard disk. * The 512 bytes of security startup code were embedded in a custom chip to make it hard to sniff. Instead, they should have made sure that there are no bugs in that security code. ==== #6: Hacker Groups ==== Don't use one security system for different purposes, or else attackers with very different goals will jointly attack it, being a lot more effective. Instead, try to find out who your enemies really are and what they want, and design your security system so that every group gets as much of what they want so that it does not hurt you. There were three possible goals for Xbox hackers: Run Linux and use it as a computer, run homebrew software like media players and emulators, and run copies. Although there were some overlaps between Linux and homebrew people, as well as between homebrew people and people interested in copies, these were essentially three very different groups. Because they were all locked out by the same protection, they worked together, either explicitly, or implicitly, by using the results of each other. No Linux hackers ever attacked the Playstation. When you are fair, people don't fight you. ==== #7: Security by Obscurity ==== Security by obscurity does not work. Well-proven algorithms like SHA-1 and RSA work (of course given your implementation is well-proven as well). Microsoft hid the secret ROM, the Windows kernel, the game DVD contents (no way to read them on a standard DVD drive) and the hard disk contents using different methods. None had any effect. Also see #5. ==== #8: Fixes ==== When your security system has been broken, don't release quick fixes, for two reasons: Your fixes may be flawed and may not actually correct the problem, and even worse holes may be found not much later, which you must fix again - and ship yet another version. Instead, every time a security vulnerability is found, audit your complete security system and search for similar bugs, as well as other bugs in the same part of the system, based on the knowledge you gained from the successful hack. Microsoft failed to correct the hash problem in the second version of the secret ROM, and didn't fix the visor vulnerability, which was found just weeks later. After trashing thousands of already manufactured v1.0 Southbridge chips, which was very expensive, they decided not to update the Southbridge a second time. Another example is the dashboard odyssey: Instead of blacklisting the vulnerable executables at a time, they released three updates, none of which was effective. === Implementation === ==== #9: Data Sheets ==== Know everything about the components you use. Do read data sheets. Be very careful with components that have legacy functionality. Microsoft did not notice the A20# legacy functionality as a security risk. It seems that they did not completely analyze the functionality of the Pentium III Celeron, or else they should have noticed. They also apparently did not read the Pentium programmers' manual, or else they would have noticed that Intel CPUs do not panic on a FFFFFFFF/00000000 wraparound. ==== #10: Literature ==== Read (at least!) standard literature. If you are dealing with cryptography, this means you have to read at last Schneier's "Applied Cryptography". Microsoft's engineers did not know that TEA must not be used as a hash, and that RC4 does not feed the decrypted stream back into the key stream. ==== #11: Pros ==== Get experienced professionals to work on your security system, both on the design and the implementation. If it's a money issue, see #1. Looking at mistakes #9 and #10, it seems very probable that at least some of Microsoft's engineers had no prior experience with cryptography or the design of a security system. We also know that people on an internship were working on Xbox security. ==== #12: Completeness ==== Check whether your security code catches all cases. If it does not, you did not only waste time implementing all of it, but you may also give hints to hackers: If there are many checks at one point of the code, it looks a lot like code that is relevant for security and an attacker can check whether all cases are caught. Microsoft made this mistake twice: The xcode interpreter tests for the secret ROM turnoff code, and doesn't catch all cases. And the Dashboard hashes all files it is going to read, except for two. This gave us the ideas where to attack. ==== #13: Leftovers ==== Look at the final product from the perspective of a hacker. Hexdump and disassemble your final builds. There could be leftovers! The Xbox flash memory image contained an old version of the secret ROM, giving us not only hints about the contents of the actual secret ROM, but also an insight into what Microsoft planned and why some mistakes have been made. ==== #14: Final Test ==== Test your security system when you have the final parts and with the final software components in place. Changing something may very well open holes somewhere else. When you change something, rethink the complete system, and check all assumptions that you made. The visor hack was only possible because Microsoft failed to adapt their security system, designed for the AMD CPU, to the Intel CPU. The "hash" in the secret ROM had no effect because they changed RC5 to RC4 without thinking about the implications. === Policies === ==== #15: Source ==== Keep your source safe. Find engineers you can trust. The complete Xbox source code has leaked, including the kernel and libraries source. Groups interested in copies could easily modify it to support running games from hard disk, support for hard disks bigger than 137 GB, custom boot logos etc. This had been previously done by patching the binary. ==== #16: Many People ==== Have many good people have a look at both your design and your implementation. Keeping your source code safe means having engineers you can trust, and not letting none of your engineers see the source code. As stated at #7, your system should not rely on the source code being safe. Unless you did #7 completely wrong, a bug in the security system is typically a lot worse than a leak of the source code. It seems a lot like very few people have actually seen the Xbox security code. ==== #17: Talk ==== Know your enemy - and talk to them. They are not terrorists that you are not supposed to negotiate with. Their intent is not to harm you but to reach their goals. Working on their goals on their own might harm you indirectly, because the hackers may not care about the same things as you do. Seek the contact to hackers, know what they are doing and have them inform you about a vulnerability before publishing it. Make them know your position and why they should respect it, but also respect their position. Offer them to loosen the security system for what they want in exchange for the non-disclosure of their findings. Microsoft refused to talk about the savegame and font vulnerabilities. If we had been bad hackers, we could have released both of them as-is, immediately making it possible to run copies on Xboxes without the use of a modchip. Instead, we sought contact to Microsoft: We would have preferred to see a backdoor for Linux in the Xbox security system, instead of a solution based on our findings that would allow running copies. But as they refused to talk, we were forced to release the exploits, and they were lucky we heavily obfuscated our solutions so in order to slow down people interested in using it for copies. == Conclusion == The security system of the Xbox has been a complete failure. 48c8b6323ae269a9d81980db711518670da1bc38 5625 5600 2017-05-31T10:01:08Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617003620/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System}} by [https://web.archive.org/web/20100617003620/http://www.xbox-linux.org/wiki/User:Michael_Steil Michael Steil] {| class="wikitable" |- | This [https://web.archive.org/web/20100617003620/http://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf paper], dated 2005-10-25, has been submitted to the [https://web.archive.org/web/20100617003620/http://events.ccc.de/congress/2005/ 22nd Chaos Communication Congress] and has been on [https://web.archive.org/web/20100617003620/http://events.ccc.de/congress/2005/fahrplan/events/559.en.html December 29th 2005, 18:00], at the Berliner Congress Center, Berlin, Germany. A '''recording''' of the presentation is available here: [https://web.archive.org/web/20100617003620/http://video.google.com/videoplay?docid=-749497642180741726 Google Video: Team Xbox-Linux at 22C3]. '''Another recording''' of a slightly updated talk is available here: [https://web.archive.org/web/20100617003620/http://video.google.com/videoplay?docid=-4356347903120410001 Google Video: Deconstructing The Xbox Security System] |} == Introduction == The Xbox is a gaming console, which has been introduced by Microsoft Corporation in late 2001 and competed with the Sony Playstation 2 and the Nintendo GameCube. Microsoft wanted to prevent the Xbox from being used with copied games, unofficial applications and alternative operating systems, and therefore designed and implemented a security system for this purpose. This article is about the security system of the Xbox and the mistakes Microsoft made. It will not explain basic concepts like buffer exploits, and it will not explain how to construct an effective security system, but it will explain how ''not'' to do it: This article is about how easy it is to make terrible mistakes and how easily people seem to overestimate their skills. So this article is also about how to avoid the most common mistakes. For every security concept, this article will first explain the design from Microsoft's perspective, and then describe the hackers' efforts to break the security. If the reader finds the mistakes in the design, this proves that Microsoft has weak developers. If, on the other hand, the reader doesn't find the mistakes, this proves that constructing a security system is indeed hard. === The Xbox Hardware === Because Microsoft had a very tight time frame for the development of the Xbox, they used off-the-shelf PC hardware and their Windows and DirectX technologies as the basis of the console. The Xbox consists of a Pentium III Celeron mobile 733 MHz CPU, 64 MB of RAM, a GeForce 3 MX with TV out, a 10 GB IDE hard disk, an IDE DVD drive, Fast Ethernet, as well as USB for the gamepads. It runs a simplified Windows 2000 kernel, and the games include adapted versions of Win32, libc and DirectX statically linked to them. Although this sounds a lot more like a PC than, for example, a GameCube with its PowerPC processor, custom optical drive and custom gamepad connectors, it is important to point out that, from a hardware point of view, the Xbox shares ''all'' properties of a PC: It has LPC, PCI and AGP busses, it has IDE drives, it has a Northbridge and a Southbridge, and it includes all the legacy PC features such as the "PIC" interrupt controller, the "PIT" timer and the A20 gate. nVidia sold a slightly modified Southbridge and a Northbridge with another graphics core embedded for the PC market as the "nForce" chipset between 2001 and 2002. === Motivation for the Security System === The Xbox being a PC, it should be trivial to install Linux on it in order to have a cheap and, for that time, powerful PC. Even today, a small and silent 733 MHz PC with TV connectivity for 149 USD/EUR is still attractive. But this is not the only thing Microsoft wanted to prevent. There are three uses that should not have been possible: * '''Linux''': The hardware is subsidized and money is gained with the games, therefore people should not be able to buy an Xbox without the intent to buy any games. Microsoft apparently feels that allowing the Xbox to be used as a (Linux) computer would be too expensive for them. * '''Homebrew/Unlicensed''': Microsoft wants the software monopoly on the Xbox platform. Nobody should be able to publish unlicensed software, because Microsoft wants to gain money with the games to amortize the hardware losses, and because they do not want anyone to release non-Internet Explorer browsers and non-Windows Media Player multimedia software. * '''Copies''': Obviously it is important to Microsoft that it is not possible to run copied games on the Xbox. Microsoft decided to design a single security system that was supposed to make Linux, homebrew/unlicensed software and copies impossible. The idea to accomplish this was by simply locking out all software that is either not on the intended (original) medium or not by Microsoft. On the one hand, this idea makes the security system easier and there are less possible points off attack. But on the other hand, 3 times more attackers have a single security system to hack: Although Open Source and Linux people, homebrew developers, game companies as well as crackers have little common interests, they could unite in this case and jointly hack the Xbox security system. Of the three consoles of its generation, Xbox, Playstation 2 and GameCube, the Xbox is the one whose security system has been compromised first, the one that is now easiest to modify for a hobbyist, the one with the most security system workarounds, and the one with the most powerful hacks. This may be, because the Xbox security is the weakest one of the three, but also because Open Source people, homebrew people and crackers attacked the Xbox, while the Open Source people did not attack the Playstation 2, as Linux had been officially supported by Sony, so the total number of hackers was lower, buying them time. === Idea of the Security System === In order to allow only licensed and authentic code to run, it is necessary to build a TCPA/Palladium-like chain of trust, which reaches from system boot to the actual execution of the game. The first link is from the CPU to the code in ROM, which includes the Windows kernel, and the second link is from the kernel to the game. There are several reasons that the operating system is contained in ROM (256 KB) instead of being stored on hard disk, like on a PC. First, it allows a faster startup, as the kernel can initialize while the hard disk is spinning up, furthermore, there is one link less in the chain of trust, and in case verification of the kernel gets compromised, it is harder to overwrite a ROM chip than modify data on a hard disk. == Startup Security == When turned on, x86-compatible CPUs start at the address 0xFFFFFFF0 in the address space, which is usually flash memory. For the Xbox, this is obviously no good idea, as flash memory can be * replaced, by removing the chip, fitting a socket and inserting a replacement chip. * overridden, by adding another flash memory chip to the LPC bus. This override functionality is necessary, because during manufacturing, an empty flash memory chip gets soldered onto the board, an override LPC ROM chip gets connected to the board and the system boots from the external ROM, which then programs the internal flash memory. This procedure is significantly cheaper than preprogramming the flash memory chips. * reprogrammed, because flash memory can be written to many times. It would be possible to use ROM instead of flash memory, but ROM is more expensive than flash memory. Thus, the machine must not start from flash memory. === Microsoft's Perspective === It would be possible to make two of the attacks impossible, by using ROM chips instead of flash. There would be no way to reprogram them, and it would be possible to disable the LPC override functionality in the chipset, because it is not needed for the manufacturing process any more. ==== The Hidden ROM ==== There is a solution between flash memory and ROM that combines advantages of both these approaches. This trick is rather old and had already been used in previous gaming consoles like the Nintendo 64: Use a tiny non-replaceable startup ROM, and put the bulk of the firmware data (i.e. the Windows kernel) into flash memory. The "internal" ROM checks whether the contents of the flash memory are authentic, and if yes, it passes execution to it. This way, there will be another link in the chain of trust, but the ROM code can be trusted (if it is non-replaceable), and if, in addition, it is non-accessible, an attacker may not even have a clue how verification works. ==== Location of the ROM ==== But where can this ROM be put? It cannot be a separate chip, as it would be replaceable. It would have to be included into another chip. The CPU would be ideal, as the ROM contents would not travel over any visible bus, but then it would be impossible to use cheap off-the-shelf Celerons. Including it in any other chip would make it non-replaceable, but data would travel over a bus. It seems to be a good compromise to store the ROM data in the Southbridge ("MCPX"), as it is connected via the ''very'' fast HyperTransport bus, so it is very hard to sniff. A former Microsoft employee confirmed that the developers tought that nobody was able to sniff HyperTransport. ==== Verification Algorithm ==== This secret ROM stored in the Southbridge must verify the Windows kernel in the external flash memory before executing it. One idea would be to checksum (hash) the flash contents using an algorithm like MD5 or SHA-1, but this would mean that the hash of the kernel has to be stored in the secret ROM as well, which would make it imposible to ship updated versions of the kernel in future Xboxes without also updating the ROM contents - which would be very expensive. A digital signature algorithm like RSA would be better: It would be possible to update the kernel without changing the ROM, but an RSA implementation takes up a lot of space, and embedded ROM in the Southbridge is expensive. It would be ideal if the algorithm fit in only 512 bytes, which is impossible for RSA. ==== Second Bootloader ("2bl") ==== A solution for this problem is again to introduce another link in the chain of trust: The ROM only hashes a small loader ("2bl", "second bootloader") in flash memory, which can never be changed. It is then the job of this loader to verify the rest of flash, and as the second loader can be any size, there are no restrictions. So the final chain of trust looks like this: The CPU boots from the secret ROM embedded into the Southbridge, which cannot be changed. The secret ROM verifies the second bootloader in flash memory using a hash algorithm, and if it is authentic, runs it. The second bootloader checks the kernel, and if authentic, runs it. Now the second bootloader and the Windows kernel would be stored in flash memory in plain text, which is a bad idea: An attacker can immediately see how the second bootloader verifies the integrity of the kernel, and even analyze the complex kernel for possible exploits. Encrypting all the flash contents will not solve possible vulnerability problems, but it will buy us time until the decryption of the flash contents is understood by hackers. The decryption key would have to be stored in the secret ROM, and the 2bl verification code would also have to decrypt the flash contents into RAM while reading it. ==== RAM Initialization ==== Decrypting flash memory contents into RAM is a challenge if we are living inside the first few hundred bytes of code after the machine has started up: At this point, RAM might not be stable yet. The reason for this is that Microsoft bought cheap RAM chips; they just took everything Samsung could give them to lower the price, even faulty ones, i.e. chips that will be unstable when clocked at the highest frequencies specified. The Xbox is supposed to find out the highest clock speed the RAM chips can go and run them at this frequency - this is the reason why some games don't run as smoothly on some Xboxes as on others. So the startup code in the secret ROM has to do a memory test, and if it fails, clock down the RAM, do another memory test, and if it fails again, clock down again, and so on, until the test succeeds or the RAM cannot be clocked down any further. The problem now is that it is impossible to do complex RAM initialization, data decryption and hashing in 512 bytes. This code would need at least 2 KB, which would be significantly more expensive, if embedded into the Southbridge. We could put the RAM initialization code, which is the biggest part of what the startup code needs to do, into flash memory, and call it from the secret ROM, but this would kill security, as an attacker could easily see the unencrypted code in flash, modify it and have the control of the machine right at the startup. The developers at Microsoft had a brilliant idea how to solve this problem: They designed an interpreter for a virtual machine that can read and write memory, access the PCI config space, do "AND" and "OR" calculations, jump conditionally etc. The instruction code has one byte instructions and two 32 bit operands, it can use immediate values as well as an accumulator. The interpreter for the virtual machine is stored in the secret ROM, and its code ("xcodes") is stored in flash memory. This code does the memory initialization (plus extra hardware initialization, which would not be necessary). This program cannot be encrypted, as there is again no space for it in the secret ROM, but as the virtual machine is unknown to the hacker, encryption should not be that important. It also cannot be hashed, as this would make it impossible to change the xcodes for later revisions of the Xbox hardware. Therefore we have to make sure that, if the hacker knows how the virtual machine works, it is impossible to do anything malicious with the xcodes. ==== The Virtual Machine ==== There are several ways an attacker could exploit the xcodes, which are by definition untrusted, because they reside in "external" flash memory. Microsoft included some code to make sure there were no possible exploits. ===== Read the Secret ROM ===== The xcodes can read memory and access I/O ports. This way an attacker could place xcodes into flash memory that dump the secret ROM, which must be mapped into the address space somewhere, to a slow bus, like the LPC or the I2C bus, or write it into CMOS or the EEPROM, so that we can read it later. The xcode interpreter has to make sure that the xcodes cannot read the secret ROM, which is located at the upper 512 bytes of the address space. The simplest way to accomplish this is to mask the address when reading from memory: <pre> and ebx, 0FFFFFFFh &nbsp;; clear upper 4 bits mov edi, [ebx] &nbsp;; read from memory location op1 into di jmp next_instruction </pre> This way, the xcodes can only ready from the lower 256 MB, which is no problem, as there are only 64 MB of RAM, and memory mapped I/O can be mapped into this region using PCI config cycles. ===== Turn off the Secret ROM ===== The xcodes may also not turn off the secret ROM, or else the CPU, while executing the xcode interpreter, would "fall down" from the secret ROM into the underlying flash ROM, which is also mapped to the top end of the address space. The turn off functionality is important: As soon as the second bootloader takes over, the secret ROM has to be turned off, or else an attack against a game, which makes it possible to run arbitrary code, could dump the secret ROM, making additional attacks against it possible. The secret ROM can be turned off by writing a value with bit #1 set to the PCI config space of device 0:1:0, register 0x80. So the xcode interpreter always clears this bit in case there is a write to this PCI config space register: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> ==== Encryption and Hashing ==== For the decryption of the second bootloader, Microsoft chose the RC4 algorithm, which is pretty small, as it fits into 150 bytes. It uses a 16 bytes key, which is also stored in the secret ROM. Microsoft's engineers also chose to use RC4 as a hash, so that no additional algorithm had to be implemented for this. Differential decryption algorithms feed the decrypted data into the generator of the decryption key stream, so if the encrypted code is changed at one byte, all the following bytes will decrypted incorrectly, up to the last bytes. This way, it is possible to only test the last few bytes. If they have been decrypted correctly, then the encrypted code has been authentic. (If you are getting suspicious now - read on!) In practice, the secret ROM in the Xbox compares the last decrypted 32 bit value with the constant of 0x7854794A. If it is incorrect, the Xbox has to panic. ==== Panic Code ==== So far, the code in the secret ROM does this: * Enter protected mode, and set up segment descriptors, so that we have access to the complete flat 32 bit address space. * Interpret the xcodes. * Decrypt and hash the second bootloader, store it in RAM * If the hash is correct, jump to the decrypted second bootloader in RAM, else panic. There is another possible attack here: A hacker could deliberately make the hash fail. If the Xbox then halts and flashes its lights to indicate an error, the attacker can attach a device to dump the secret ROM after the CPU has shut down and the bus is idle. Although HyperTransport is fast, it would be a lot easier to attach a device that actively requests the data from the Southbridge than sniffing it when the CPU requests it. One solution would be not to halt but to shut down the Xbox in case of a problem. The support chips have this functionality. But incorrect flash memory does not necessarily mean that there has been an attack, it could also be a malfunction, and the machine should use the LED to blink an error code. So we should leave the Xbox running, but just turn off the secret ROM, so that it cannot be read any more. But there is a problem: We have to do this inside the secret ROM. So if we disable the ROM, we cannot have the "hlt" instruction after that, because the CPU will "fall down" into flash memory - where an attacker could put code. On the other hand, if we halt the CPU, we cannot turn off the secret ROM afterwards. We cannot put the disable and halt code into RAM and jump there, because RAM might not be stable, and might even have been tampered with by an attacker (e.g. by turning off the memory controller using the xcodes) so that the secret ROM does not get turned off. We cannot put the disable and halt code into flash either, as again, an attacker could simply put arbitrary code to circumvent the complete system there. The Microsoft engineers used yet another brilliant trick: They jump to the very end of the address space (which is covered by the secret ROM) and turn off the secret ROM in the very last instruction inside the address space. This is a simplified version of the idea: <pre>FFFFFFF1 mov eax, 80000880h FFFFFFF6 mov dx, 0CF8h FFFFFFF9 out dx, eax FFFFFFFB add dl, 4 FFFFFFFC mov al, 2 FFFFFFFE out dx, al </pre> After the last instruction, the program counter (EIP) will overflow to 00000000, which, according to the CPU documentation, causes an exception, and as there is no exception handler set up, it causes a double fault, which will effectively halt the machine. === The Hacker Perspective === So much for the theory. The design looked pretty good, although the trade off between cost and security as it has been decided, might give some people headaches. Let us now have a look at the Xbox from the hackers' point of view. It has been well known that the Xbox chipset is a modified version of nVidia's nForce chipset, so we knew that it was standard IDE, USB, there was an internal PCI bus and so on. Two hackers from Great Britain, Luke and Andy, checked the hard disk and found out that it uses a custom partitioning scheme, a FAT-like filesystem, that there is no kernel on the hard disk, but there is the Xbox Dashboard on the fourth partition, the main program that gets executed if there is no game in the DVD drive, which allows changing settings, playing audio CDs and managing savegames. ==== Extracting the Secret ROM ==== Andrew "bunnie" Huang, then a PhD student at the MIT, disassembled his Xbox, saw the flash memory, de-soldered it, extracted the contents, put it on his website and got a phone call from one of Microsoft's lawyers. The flash memory image was obviously encrypted, but there was x86 binary code in the upper 512 bytes! Obviously, there should be no code in the upper 512 bytes, as this gets overridden by the secret ROM, which contains the actual machine setup and flash decryption code. Bunnie found out that this code was an interpreter for tables in flash memory, plus a decryption function that looked like RC4. He rewrote the crypto code in C and tried it on the data - but the resulting data was random, obviously something was wrong. The interpreter didn't make much sense either. The code used opcodes that were unknown to the interpreter. In order to find out what was wrong, bunnie rewrote the top of flash with his own code, and later even completely erased the upper 512 bytes, but the Xbox still booted! So it was obvious to him that this region gets overridden by some internal code. As it turned out later, the code in the upper 512 bytes of the flash image was a very old version of the secret ROM code, which had been unintentionally linked to the image by the build tools. It seems like nobody had looked at the resulting image at the end, before they shipped the consoles. This mistake was very close to a fatal one, and Microsoft was lucky that they didn't link the actual version of the secret ROM. But it didn't make that much of a difference, as bunnie sniffed the busses, and eventually dumped the complete secret ROM, including the RC4 key from HyperTransport, using a custom built sniffer - after all, he was working on his PhD degree about high performance computing, and he could use the excellent resources of the MIT hardware lab. When he published his findings, other people found out quite quickly that the validity check did nothing at all: The combination of decryption and hash with a cypher that feeds back the decrypted data into the key stream is a good idea, but unfortunately, RC4 is no such cypher. It decrypts bytes independently, so if one byte is wrong, all the following bytes will still be decrypted correctly. So checking the last four bytes has no effect: There is no hash. It turned out that the cypher used in the old version of the secret ROM as found in flash memory used the RC5 cypher. In contrast to RC4, RC5 does feed the decrypted stream back into the key stream. So they seem to have replaced RC5 with RC4 without understanding that RC4 cannot be used as a hash. Bunnie's theory why they abandoned RC5 is that RC5 was still a work in progress, and that Microsoft wasn't supposed to have it, so they went for the closest relative - RC4. ==== Modchips ==== Now that the encryption key was known and there was effectively no hash over the second bootloader, it was possible to patch this code: People added code to the second bootloader to patch the kernel after decryption (and decompression) to accept executables even if on the wrong media (DVD-R instead of original) or if the RSA signature of the executables was broken (i.e. unsigned homebrew software). Modchips appeared: Some of them had a complete replacement flash memory chip on them, others only patches a few bytes and passed most reads down to the original flash chip. All these modchips had to be soldered in parallel to the original flash chip, using 31 wires. Now other people found out that, if the flash chip is completely missing, the Xbox wants to read from a (non-existant) ROM chip connected to the (serial) LPC bus. This is of course because of the manufacturing process: As it has been explained before, the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip. Modchip makers soon developed chips that only needed 9 wires and connected to the LPC bus. It was enough to ground the data line D0 to make the Xbox think that flash memory is empty. Lots of these "cheapermods" appeared, as they only consisted of a single serial flash memory chip. They could be installed within minutes, especially after some companies started shipping chips that used pogo pins, so that no soldering was required. Some groups wrote applications like boot menus that made it possible to copy games to hard disk and run them from there. Patched Xbox kernels appeared that supported bigger hard disks. Making the Xbox run copies from DVD-R or hard disk as well as homebrew applications written with the official Xbox SDK was now easy. ==== Backdoors ==== The Xbox Linux Project was working on two ways to start Linux: Either run the Linux kernel from a CD/DVD as if it was a game, or run it directly from flash memory, or from HD/DVD using a Linux bootloader in flash memory, so that the Xbox behaved like a PC. For the latter, Xbox Linux was working on a replacement firmware. It would have been no problem to write a replacement firmware that took over execution instead of the second bootloader, as it was possible to completely replace this second bootloader, as well as encrypt it, using the well-known key from the secret ROM. But the firmware developers felt very uncomfortable with the idea of using this secret key in their GPL code. Other hackers felt the same, and thus were looking for bugs and backdoors in the secret ROM code, in order to find a way to be able to implement a replacement firmware without having to deal with encryption. ===== The Visor Backdoor ===== A hacker named visor, who never revealed his real name, wondered whether the rollover to 00000000 in case of an incorrect 2bl "hash" really caused a double fault and halted the CPU. He used the xcodes to write the assembly instruction for "jmp 0xFFFF0000" to the memory location 00000000 in RAM and changed the last four bytes in 2bl, in order to make the secret ROM run the panic code. The Xbox happily continued executing code at 00000000 and took the jump into flash. When appending these instructions to the existing xcodes, he could make sure that RAM had been properly initialized and was thus stable. So there was no need to encrypt the Xbox Linux bootloader firmware with the secret key any more. It was enough to add the memory write instruction to the end of the xcodes and make sure that 2bl decryption fails - which will automatically happen, if the firmware replacement does not contain the 2bl code. Now why is there no double fault? Hackers from the Xbox Linux team checked with AMD employees and they explained that AMD CPUs ''do'' throw an exception in case of EIP overflows, but Intel CPUs don't. The reason that Intel CPUs don't is because of... 1970s stuff. Execution on x86 CPUs starts at the top of the address space (minus 16 bytes), but some computer makers wanted to have their ROM at the bottom of the address space, i.e. at 0, so Intel implemented the instruction with the encoding 0xFFFF, which is what you get when reading from addresses not connected to any chip, as a No-Operation ("nop") and made the CPU throw no exception in case of the address space wraparound. This way, the CPU would "nop" its way up to the top, and finally execute the code at 0. AMD did not implement this behavior, as it had not been necessary any more by the time AMD entered the x86 market with it own designs, and because they felt that this behavior was a security risk and fixing it would not mean a significant incompatibility. But why did Microsoft do it wrong? This can be explained with the history of the Xbox: AMD offered to design and manufacture both the CPU and the motherboard (including the chipset), and nVidia was contracted to contribute the graphics hardware. The first developer systems, even outside of Microsoft, were Athlon-based, but then Intel came in and offered their chips for less money, as well as the complementary redesign of the existing AMD chipset to work with their CPU. Consequently, nVidia licensed the AMD chipset so that the AMD name vanished. This also means, that nVidia nForce chipset is essentially AMD technology, closely related to the AMD-760 chipset. So when Microsoft switched from AMD to Intel, they apparently forgot to test their security code again with the new hardware, or to read the Intel datasheets. ===== The MIST Hack ===== Soon after the visor hack, another vulnerability was found in the secret ROM code, attacking the code that checks whether an xcode wants to disable the secret ROM. Let us look at this code again: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> The PCI config address is stored in the EBX register in the beginning. This address has to be sent to I/O port 0x0CF8, and the 32 bit data has to be sent to I/O port 0x0CFC. The address is encoded like this: <pre>0-7 reg 8-10 func 11-15 device 16-23 bus 24-30 reserved 31 always 1 </pre> The attack is pretty obvoius: there are seven reserved bits in the address, and the code tests for a single exact value. What happens if we write to an alias of the same address, by using an address with only some of the bits 24 to 30 changed? While the instruction <pre>POKEPCI(80000880h, 2) </pre> will be caught, the instruction <pre>POKEPCI(C0000880h, 2) </pre> will not be caught - and works just as well, because the PCI bus controller just ignores the unused bits. This instruction disables the secret ROM, that is, the interpreter disables itself when sending the value to port 0x0CFC, and the CPU falls down to flash memory. We can put a "landing zone" into flash, by filling all of the top 512 bytes with "nop" instructions, and putting a jump to the beginning of flash into the last instruction, so that we do not have to care where exactly the CPU lands after falling down, and we are independent of possibly hard to reproduce caching effects. It is hard to find a good reason for this bug other than carelessness. It might be attributed to not reading the documentation closely enough, as well as not looking at it from the perspective of a hacker well enough. After all, this code had been written with a specific attack in mind - but the code made hacking easier, by giving hackers a hint how to attack. ===== Another PCI Config Space Attack ===== There is a second sequence of xcode instructions that can disable the secret ROM just as well, which are not caught by the interpreter: The interpreter supports writing bytes to I/O ports, so it is possible to put together the code to disable the secret ROM using 8 bit I/O writes: <pre>OUTB(0xcf8), 0x80 OUTB(0xcf9), 0x08 OUTB(0xcfa), 0x00 OUTB(0xcfb), 0x80 OUTB(0xcfc), 0x02 </pre> This hack has been unreleased until now. It has been found not long after the MIST hack, but kept secret, in case Microsoft fixed the MIST bug. In the meantime, they have implemented a fix that makes all hacks impossible that are based on turning off the secret ROM. This will be described in detail later. ===== More Ideas ===== There have been more ideas, but few of them have been pursued, as long as other existing backdoor existed. One possible idea is to base a hack on caching... == Startup Security, Take Two == When bunnie hacked the secret ROM, Microsoft reacted by updating the ROM. Thousands of already manufactured Southbridges were trashed, new ones made. The hacker community called these Xboxes "version 1.1" machines. === Microsoft's Perspective === Microsoft had now understood that RC4 cannot be used as a hash, so they implemented an additional hash algorithm, which was to be executed after decryption. As there were only few bytes left, the hash algorithm had to be tiny - so the "Tiny Encryption Algorithm" ("TEA") was used. Every encryption algorithm can be changed to be used as a hash, and TEA seemed to be a good choice, as it is really small. While they were at it, they also changed the RC4 key in the secret ROM, so that hackers would not be able to decrypt 2bl and the kernel without dumping the new secret ROM. === The Hacker Perspective === The extraction of the secret ROM was done by members of the Xbox Linux Project this time, only days after they got their hands on the new 1.1 boxes, and only two weeks after they first appeared. ==== The A20 Hack ==== To date, Microsoft does not know how the Xbox Linux Project did it. But since there will most probably be no future revisions of the Xbox, as the Xbox 360 has already taken over, we can release this now. Let us start with some PC history. The 8086/8088, the first CPU in the x86 line, was supposed to be as closely compatible to the 8080, which was very successful on the CP/M market. The memory model therefore was similar to the 8080, which could access only 64 KB, by dividing memory into 64 KB blocks. Intel decided that the 8086/8088 could have a maximum of 1 MB of RAM, which would have meant 16 "segments" of 64 KB each. But instead of doing it this way, they decided to let the 64 KB segments overlap, and have 65536 of these segments, starting every 16 bytes. An address was therefore specified by a segment and an offset. The segment would be multiplied by 16, and the offset would be added, to result in the effective address. As an example, 0x0040:0x006C would be 0x40*0x10+0x6C=0x46C. An interesting side effect of this method is that it is possible to have addresses above 1 MB: The segment 0xFFFF starts at the effective address 0xFFFF0, so it should only contain 16 bytes instead of 64 KB. So the address 0xFFFF:0x0010 would be at 1 MB, and 0xFFFF:0xFFFF would be at 1 MB plus roughly 64 KB. The 8086/8088 could not address more than 1 MB, because it only had 20 address lines, so addresses above 0xFFFF:0x000F were wrapped around to the lower 64 KB. But this behavior was different on the 286, which had 24 address lines: It was actually possible to access roughly 64 KB more using this trick, which was later abused by MS-DOS as "high memory". Unfortunately there were some 8086/8088 application that broke, because they required the wraparound for some reason. It wasn't Intel who found that out, but IBM, when they designed the IBM AT, and it was too late to modify the behavior of the 286, so they fixed it themselves, by introducing the A20 Gate ("A20#"). An unused I/O pin in the keyboard controller was attached to the 20th address line, so that software could pull down address line 20 to 0, thus emulating the 8086/8088 behaviour. This feature was later moved into the CPUs, and all Pentiums and Athlons have it - and so does the Xbox. If A20# is triggered, bit 20 of all addresses will be 0. So, for example, an address of 1 MB will be 0 MB, and if the CPU wants to access the top of RAM, it will actually access memory that is 1 MB lower than the top. Keeping this in mind, the attack on the Xbox is pretty straightforward: If we connect the CPU's A20# pin to GND, the Xbox will not start from FFFFFFF0, but from FFEFFFF0 - this is not covered by the secret ROM, but is ordinary flash memory, because flash is mirrored over the upper 16 MB. So by only connecting a single pin, the secret ROM is completely bypassed. What is cool about this, is that the secret ROM is still turned on. So we could easily dump the secret ROM trough one of the low speed busses (we used the I2C bus), by placing a small dump application into flash memory. ==== The TEA Hash ==== After reading Bruce Schneier's book on crypto, we learned that TEA was a really bad choice as a hash. The book says that TEA must never be used as a hash, because it is insecure if used this way. If you flip both bit 16 and 31 of a 32 bit word, the hash will be the same. We could easily patch a jump in the second bootloader so that it would not be recognized. This modified jump lead us directly into flash memory. But why did they make this mistake? Obviously the designers knew nothing about crypto - again! - and just added code without understanding it and without even reading the most basic books on the topic. A possible explanation why they chose TEA would be that they might have searched the internet for a "tiny" encryption algorithm - and got TEA. ==== Visor Backdoor and MIST Hack ==== The Visor Backdoor was still present, so again, for the replacement Linux firmware, the Xbox Linux developers did not have to exploit the crypto code, but could simply use this backdoor. Microsoft obviously released the updated secret ROM much too quickly, just after bunnie dumped it and people saw that RC4 was no hash, but before the visor backdoor had been discovered. The MIST hack had been discovered after the visor bug - but it no longer worked on the Xbox 1.1. Not because they fixed the comparison - they didn't -, but because they changed the address logic: If you accessed the upper 512 bytes of the address space, and the secret ROM was turned off, the Xbox would just crash, thus making all "fall down" hacks impossible. This way they closed both possible attacks, writing to an alias, and using 5 OUTB instructions. Microsoft obviously discovered the turnoff vulnerability themselves, closing at least one backdoor, but keeping another one open, and not really closing a second one. It was too expensive to trash the 1.1 Southbridge chips again for yet another update, so Microsoft still uses these chips in today's Xboxes. === Today === In later revisions of the Xbox, Microsoft removed some pins of the LPC bus, making modchip design harder, but they could not remove the LPC bus altogether, because they needed it during the manufacturing process. In the latest revision of the Xbox hardware (v1.6), they finally switched from flash memory to real ROM - and even integrated the ROM with the video encoder. The LPC bus is not needed for manufacturing any more, as the ROM chips are already preprogrammed. So now it is impossible to replace or to overwrite the kernel image, and because of the missing LPC bus, it also seems impossible to attach a ROM override. But modchips are still possible. The obvious LPC pins are gone now, but the bus is still there. If you find the LPC pins on the board, you can attach a ROM override just as before, the modchips are only a bit harder to install. This is because the Southbridge still has the LPC override functionality, since they did not make a new revision of it - as so often, obviously for monetary reasons. == Xbox Kernel Security == Let us have a look at the chain of trust again: * The CPU starts execution of code stored in the secret ROM. * The secret ROM decrypts and verifies the second bootloader. * The second bootloader decrypts and verifies the Windows kernel. * The Windows kernel checks the allowed media bits and the RSA signature of the game. This last link is a complete software thing, so all the attacks have been pretty much standard. Some people tried to brute force the RSA key used for the game signature - no joke! But what is more likely, successfully brute forcing RSA 2048, or finding a bug in Microsoft's security code? After the experience with the first links of the chain of trust, the Xbox Linux Project focused on finding bugs in the software. We found no bug in the RSA implementation. It is taken straight out of Windows 2000 and looks pretty good. But there are always implicit additional links in the chain of trust: All code reads data, and data can cause security risks if handled incorrectly. === Game Exploits === What data do games load? Graphics data, audio data, video data... - but we cannot alter them, because it is not easily possible to create authentic Xbox DVDs, and the Xbox won't boot originals from DVD-R etc. But most games can load savegames, and these can easily be changed: The Xbox memory units are more or less standard USB storage devices ("USB sticks"), so it is possible to use most USB sticks with the Xbox, and just store hacked savegames on them. Plenty of Xbox games had buffer vulnerabilities in their savegame handlers. It was often as easy as extending the length of strings like the name of the player, and the game would overwrite its stack with our data and eventually jump to the code we embedded in the savegame. The procedure for the user was then to simply copy a hacked savegame from a USB stick onto the Xbox hard disk, run the game and load the savegame. But after a buffer exploit, we would normally only be in user mode - not on the Xbox, as all Xbox games run in kernel mode. The reason for this is probably a slight speed advantage, or, less likely, a simpler environment for the game, but Microsoft tried to make the environment as similar to the Windows/DirectX environment as possible, so user mode would have actually made the environment "simpler" for many Windows/DirectX developers. Now that we have full control of the machine, we can overwrite the flash memory chip. It is write protected by default, but disabling the write protection is as easy as soldering a single bridge on the motherboard. After all, this bridge has to be closed temporarily during manufacturing when programming flash memory for the first time. Using this hack, it is possible, only with a USB stick, one of several games (007 Agent Under Fire, MechAssault, Splinter Cell, ...) and a soldering iron, to permanently modify the Xbox, just as if a modchip was installed. Because early Xboxes had a 1 MB flash chip, although only 256 KB had been used, it was even possible to install several ROM images in flash and attach a switch. But the Xbox Linux Project did not blindly release this hack. The first savegame proof of concept exploit had been finished in January 2003. After that, a lot of energy was invested in finding out a way to free the Xbox for homebrew development and Linux, but not allowing game copies. Microsoft was contacted, but without any success. They just ignored the problem. Finally in July, the hack was released, with heavy obfuscation, and lockout code for non-Linux use. It was obvious that this would only slow down the "hacking of the hack", so eventually, people would be able to use this vulnerability for copied games, but since Microsoft showed no interest in finding a solution, there was no other option than full disclosure. The suggestion of the Xbox Linux Project would have been to work together with Microsoft to silently close the security holes and, in return, work on a method to let homebrew and Linux run on the Xbox. === Dashboard Exploits === The problem with the savegame hack was that, if you didn't want to overwrite the flash memory chip, you had to insert the game and load the savegame every time you wanted to run unsigned code. But having full control of the machine using the savegame exploit also meant we could access the hard disk without opening the Xbox. This way, it became interesting to closely examine the hard disk contents for vulnerabilities. The Dashboard is the main program on hard disk, executed every time the Xbox is started without a game in the DVD drive. The dashboard may even be the very reason the Xbox ships with a hard disk: While the settings menu and savegame management on the Nintendo GameCube fit well into 2 MB of ROM, the Xbox Dashboard, which is roughly comparable in its functionality, occupies more than 100 MB. So the original idea why to include a hard disk might have been initiated by the inability to compress the Dashboard into typical ROM sizes - and they might have decided to make the best out of it, and find additional uses for the hard disk. The dashboard loads its data files, like audio and graphics, from hard disk. With the savegame exploit, we can now alter the hard disk contents, even without opening the Xbox. Of course the dashboard executable is signed and can therefore not be altered, and all data files are hashed, with the hashes stored inside the dashboard executable. Well, all files, except for two: the font files. Consequently, there was an integer vulnerability in the font handling routines, so that we could run our own code by replacing the font files. Combined with the savegame exploit, it was as easy as transferring the savegame and loading it, which would run a script that modifies the fonts. Now every time the Xbox is turned on, the Dashboard crashes because of the faulty fonts and runs our code embedded in these files. Our code reloads the Dashboard with the original fonts, hacks it, and runs it. Hacking the Dashboard meant two things: Modifying one menu entry to read "XBOX LINUX" instead of "XBOX LIVE" and running the Linux bootloader instead of the Xbox Live setup executable, and modifying the kernel to accept both applications signed with Microsoft's RSA key as well as those signed with our RSA key, from hard disk and from CD/DVD. We called this "MechInstaller", as it was based on the "MechAssault" savegame exploit. Only accepting code either signed by the original key or by our key, keeping our key secret, and using heavy obfuscation again, meant that nobody could easily abuse this solution for copied games. This hack shows several things: Hackers have phantasy, the combination of flaws can lead to fully compromising the security system, powerful privileged code should be bug-free and security code should really catch ''all'' cases. Oh, and there is another vulnerability, an integer vulnerability in the audio player code. The attack was developed independently of the font attack, but was inferior because it would have required the user to enter the audio player every time to run Linux. ==== Microsoft's Fixes ==== The history of Microsoft's reactions to the font vulnerability is the perfect lesson of how to do it wrong. # After MechInstaller had been released, Microsoft fixed the buffer vulnerability in the Dashboard and distributed this new version over the Xbox Live network and shipped it with new Xboxes. # For the hackers, this was no major problem: It was possible to downgrade the Dashboard of a new Xbox to the vulnerable version. Just run Linux using a savegame exploit, and "dd" the old image. Some people felt downgrading on new Xboxes was not piracy, because after all, Microsoft upgraded Xbox Live users' hard disks to the new version without asking. # As the next step, Microsoft blacklisted the old Dashboard in the new kernel. It was impossible to just "dd" an old Dashboard image onto newer Xboxes. # Still no major problem for hackers: The second executable on the hard disk, "xonlinedash", which is used for Xbox Live configuration, had the same bug, so it was possible to copy the old "xonlinedash" and to rename it to "xboxdash" to make it crash because of the faulty fonts. # Microsoft consequently blacklisted the vulnerable version of "xonlinedash". # Again, no major problem for hackers: All Xbox Live games come with the "dashupdate" application, which adds Xbox Live functionality to the Dashboard for the first Xboxes which came without it. This update application has the same font bug, and it can be run from hard disk. So it is possible to copy the file from any Xbox Live game DVD, rename it to "xboxdash" and let it crash. # Microsoft could not blacklist this one. Xbox Live enabled games run the update application every time they start, making sure the Xbox has the Xbox Live functionality. Blacklisting "dashupdate" would break these games. We won. == The Mistakes that Have Been Made == Microsoft obviously made a lot of mistakes. But it would be too easy to just attribute all these to stupid engineers. There have been good (and different) reasons for most of these mistakes, and one can learn a lot from them. There are 17 kinds of mistakes they made, several of which have been made more than once. I will group the 17 mistake types into three categories: Design mistakes, implementation mistakes and bad policy decisions. === Design === ==== #1: Security vs. Money ==== Be very careful with tradeoffs between security and money. There are rarely sensible compromises. Keep in mind that the very reason for the security system is to make more money, or to prevent money losses. Security systems cannot be "a little better" or "a little worse". Either they are effective - or they are not. By saving money on the security system, you may easily make it not effective at all, not only wasting the money spent on the security system, but also making losses because it is not effective. Microsoft made many compromises. * In-system programming of flash memory is cheaper than preprogramming, but an attacker can also override the firmware with an LPC ROM. * Buying all of Samsung's RAM chips is cheaper than only buying those within the specs, but it made RAM initialization more complex, using up space that could otherwise be used for better security code. * They chose to put the secret ROM into the Southbridge instead of the CPU, because the Southbridge was a custom component anyway and having a custom CPU would have been a lot more expensive, but keys travel over a visible bus if the secret ROM is outside the CPU. * They saved money choosing not to update the Southbridge a second time, which would have fixed the TEA hash and removed the visor backdoor. This would have made modchips virtually impossible. ==== #2: Security vs. Speed ==== Don't trade security for speed. Although it may be true that the product in question must be as fast as possible in order to be able to compete with similar products on the market, remember that in IT, computers aren't slower or faster by some percentage - but by factors! Besides, you might lose more money because of a security system that does not work than because of a product that is 10 percent slower than it could be. Most probably for added speed (one address space, no TLB misses), Microsoft chose to run all code in kernel mode, even games that interacted with untrusted data that came from the outside. This made it possible to have complete control of the machine once a game crashed because of a prepared savegame, including complete control of the hard disk and the possibility of booting another operating system. ==== #3: Combinations of Weaknesses ==== Be aware of the fact that a combination of security flaws can lead to a successful attack. Don't think that a possible security hole (or "only" a security risk) cannot be exploited because there are so many barriers in front of it. Attackers might break all the other barriers that block the vulnerability, and fixing that one hole would have stopped them. MechInstaller is a great example for that. It was only possible because of the combination of several security weaknesses: * The boot process was vulnerable, so we could use a modified kernel to analyze games. * Some games are not careful enough with savegames, so that we can run our own code. * Games run in kernel mode, so we have full control of the hardware. * The Dashboard does not verify the integrity of the font files. * The Dashboard has a vulnerability in the font code. If any of these weaknesses had not been there, then MechInstaller would not have been possible. Also note that hackers have enough fantasy to find out these combinations. ==== #4: Hackers' Resources ==== Understand that hackers may have excellent resources. Hobbyists may use resources from work or from university, and professional attackers can also be very well-equipped. It is a big mistake to underestimate them. So never think you are safe because it would be too much work or too expensive to exploit a weakness. If it is a weakness, it will eventually be exploited. Also understand that hackers may have excellent human resources. Not only in number, but also in qualifications. Microsoft put the secret ROM into the Southbridge instead of the CPU, which meant that the secret key would travel over a visible bus. This is the very fast HyperTransport bus, which, at that time, could not be sniffed using logic analyzers any mortal could afford. But with help of the resources of the MIT and using all of his expertise, bunnie could build his own hardware that could sniff the bus. ==== #5: Barriers and Obstacles ==== Don't make anything "harder for hackers". Instead make it "impossible for hackers", or, if it cannot be made impossible, don't care about it. Because of the potential great number and excellent qualifications of hackers, no obstacle will have any effect or slow down hacking significantly. But instead, in security design, you might make mistake #3, because you think you are safe as there are so many obstacles in the hackers' way. Use the resources you would invest into building obstacles into building or strengthening barriers instead - possibly at a different location. Microsoft built obstacles into the system at many different locations. * Savegames will only be accepted if they are signed, but the private key is of course stored inside the game, so this is no barrier. Instead, they should have made sure the games contain no buffer vulnerabilities in their savegame handlers. * The hard disk is secured with an ATA password, different for every Xbox and stored on an EEPROM inside the Xbox, but an attacker can just "hotswap" an unlocked hard disk from a running Xbox to a running PC. Instead, they should have put that energy into verifying whether the Dashboard really hashes all data it reads from the hard disk. * The 512 bytes of security startup code were embedded in a custom chip to make it hard to sniff. Instead, they should have made sure that there are no bugs in that security code. ==== #6: Hacker Groups ==== Don't use one security system for different purposes, or else attackers with very different goals will jointly attack it, being a lot more effective. Instead, try to find out who your enemies really are and what they want, and design your security system so that every group gets as much of what they want so that it does not hurt you. There were three possible goals for Xbox hackers: Run Linux and use it as a computer, run homebrew software like media players and emulators, and run copies. Although there were some overlaps between Linux and homebrew people, as well as between homebrew people and people interested in copies, these were essentially three very different groups. Because they were all locked out by the same protection, they worked together, either explicitly, or implicitly, by using the results of each other. No Linux hackers ever attacked the Playstation. When you are fair, people don't fight you. ==== #7: Security by Obscurity ==== Security by obscurity does not work. Well-proven algorithms like SHA-1 and RSA work (of course given your implementation is well-proven as well). Microsoft hid the secret ROM, the Windows kernel, the game DVD contents (no way to read them on a standard DVD drive) and the hard disk contents using different methods. None had any effect. Also see #5. ==== #8: Fixes ==== When your security system has been broken, don't release quick fixes, for two reasons: Your fixes may be flawed and may not actually correct the problem, and even worse holes may be found not much later, which you must fix again - and ship yet another version. Instead, every time a security vulnerability is found, audit your complete security system and search for similar bugs, as well as other bugs in the same part of the system, based on the knowledge you gained from the successful hack. Microsoft failed to correct the hash problem in the second version of the secret ROM, and didn't fix the visor vulnerability, which was found just weeks later. After trashing thousands of already manufactured v1.0 Southbridge chips, which was very expensive, they decided not to update the Southbridge a second time. Another example is the dashboard odyssey: Instead of blacklisting the vulnerable executables at a time, they released three updates, none of which was effective. === Implementation === ==== #9: Data Sheets ==== Know everything about the components you use. Do read data sheets. Be very careful with components that have legacy functionality. Microsoft did not notice the A20# legacy functionality as a security risk. It seems that they did not completely analyze the functionality of the Pentium III Celeron, or else they should have noticed. They also apparently did not read the Pentium programmers' manual, or else they would have noticed that Intel CPUs do not panic on a FFFFFFFF/00000000 wraparound. ==== #10: Literature ==== Read (at least!) standard literature. If you are dealing with cryptography, this means you have to read at last Schneier's "Applied Cryptography". Microsoft's engineers did not know that TEA must not be used as a hash, and that RC4 does not feed the decrypted stream back into the key stream. ==== #11: Pros ==== Get experienced professionals to work on your security system, both on the design and the implementation. If it's a money issue, see #1. Looking at mistakes #9 and #10, it seems very probable that at least some of Microsoft's engineers had no prior experience with cryptography or the design of a security system. We also know that people on an internship were working on Xbox security. ==== #12: Completeness ==== Check whether your security code catches all cases. If it does not, you did not only waste time implementing all of it, but you may also give hints to hackers: If there are many checks at one point of the code, it looks a lot like code that is relevant for security and an attacker can check whether all cases are caught. Microsoft made this mistake twice: The xcode interpreter tests for the secret ROM turnoff code, and doesn't catch all cases. And the Dashboard hashes all files it is going to read, except for two. This gave us the ideas where to attack. ==== #13: Leftovers ==== Look at the final product from the perspective of a hacker. Hexdump and disassemble your final builds. There could be leftovers! The Xbox flash memory image contained an old version of the secret ROM, giving us not only hints about the contents of the actual secret ROM, but also an insight into what Microsoft planned and why some mistakes have been made. ==== #14: Final Test ==== Test your security system when you have the final parts and with the final software components in place. Changing something may very well open holes somewhere else. When you change something, rethink the complete system, and check all assumptions that you made. The visor hack was only possible because Microsoft failed to adapt their security system, designed for the AMD CPU, to the Intel CPU. The "hash" in the secret ROM had no effect because they changed RC5 to RC4 without thinking about the implications. === Policies === ==== #15: Source ==== Keep your source safe. Find engineers you can trust. The complete Xbox source code has leaked, including the kernel and libraries source. Groups interested in copies could easily modify it to support running games from hard disk, support for hard disks bigger than 137 GB, custom boot logos etc. This had been previously done by patching the binary. ==== #16: Many People ==== Have many good people have a look at both your design and your implementation. Keeping your source code safe means having engineers you can trust, and not letting none of your engineers see the source code. As stated at #7, your system should not rely on the source code being safe. Unless you did #7 completely wrong, a bug in the security system is typically a lot worse than a leak of the source code. It seems a lot like very few people have actually seen the Xbox security code. ==== #17: Talk ==== Know your enemy - and talk to them. They are not terrorists that you are not supposed to negotiate with. Their intent is not to harm you but to reach their goals. Working on their goals on their own might harm you indirectly, because the hackers may not care about the same things as you do. Seek the contact to hackers, know what they are doing and have them inform you about a vulnerability before publishing it. Make them know your position and why they should respect it, but also respect their position. Offer them to loosen the security system for what they want in exchange for the non-disclosure of their findings. Microsoft refused to talk about the savegame and font vulnerabilities. If we had been bad hackers, we could have released both of them as-is, immediately making it possible to run copies on Xboxes without the use of a modchip. Instead, we sought contact to Microsoft: We would have preferred to see a backdoor for Linux in the Xbox security system, instead of a solution based on our findings that would allow running copies. But as they refused to talk, we were forced to release the exploits, and they were lucky we heavily obfuscated our solutions so in order to slow down people interested in using it for copies. == Conclusion == The security system of the Xbox has been a complete failure. 624069b4b333aaa8708fa8c7c00b4973853b4a33 0 3782 5601 2017-05-31T09:07:12Z Espes 2484 Created page with "Retrieved from [https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Partitioning] by ''Michael Steil'' (original version: 8 May 2002) T..." wikitext text/x-wiki Retrieved from [https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Partitioning] by ''Michael Steil'' (original version: 8 May 2002) The Xbox uses a hard disk partitioning scheme that is hardwired into the kernel. The hard disk consists of a header, 3 game cache partitions, a system partition and a data partition: {| class="wikitable" |- ! Offset ! Size ! Description |- | 0&nbsp;MB<br /><code>0x00000000</code> | 0.5&nbsp;MB | '''Disk Config Area''' <br />This partition contains no filesystem. Various configuration data is stored on fixed offsets.<br />Linux device: <code>none</code> |- | 0.5&nbsp;MB<br /><code>0x00000400</code> | 750&nbsp;MB | '''Game Cache A''' (Drive X:)<br />FATX volume containing temporary data of a game for faster access.<br />Linux device: <code>/dev/hda52</code> |- | 750.5&nbsp;MB<br /><code>0x00177400</code> | 750&nbsp;MB | '''Game Cache B''' (Drive Y:)<br />Linux device: <code>/dev/hda53</code> |- | 1500.5&nbsp;MB<br /><code>0x002EE400</code> | 750&nbsp;MB | '''Game Cache C''' (Drive Z:)<br />Linux device: <code>/dev/hda54</code> |- | 2250.5&nbsp;MB<br /><code>0x00465400</code> | 500&nbsp;MB | '''System Files''' (Drive C:)<br />FATX volume containing menu code, graphics, sound, DVD player, music import,&nbsp;...<br />Linux device: <code>/dev/hda51</code> |- | 2750.5&nbsp;MB<br /><code>0x0055F400</code> | 4895&nbsp;MB | '''Data''' (Drive E:)<br />FATX volume containing saved games and imported CD audio tracks.<br />Linux device: <code>/dev/hda50</code> |- ! ! ! '''Non-Standard partitions on disks &gt;8GB''' |- | 7645.5&nbsp;MB<br /><code>0x00EE8AB0</code> | 1896&nbsp;MB<br />- 130&nbsp;GB | '''Unused/Additional''' (Drive F:)<br />The first xboxes had a 8GB disk, later versions came with a 10GB disk. This the space difference between the two and not used. Some tools allow it to be used as additional FATX filesystem<br />Linux device: <code>/dev/hda55</code> (only present if signature of formatted FATX found)<br />Linux assumes that all remaining space on the disk belongs to this partition unless another FATX filesystem is detected at the LBA28 boundary. See below. |- | 137&nbsp;GB<br /><code>0x0FFFFFFF</code> | remaining space | '''LBA28''' (Drive G:)<br />If you install a very big disk some tools are limited by the LBA24 boundary. The drive G allows this space to be used in a separate drive, only accessible to LBA48 capable tools and BIOS'es.<br />Linux device: <code>/dev/hda56</code> (only present if signature of formatted FATX found at LBA24 boundary)<br />Linux assumes that all remaining space on the disk belongs to this partition. |} This table has been completed by Markus Baertschi with lots of stuff. There might be errors and misconceptions, caveat emptor&nbsp;! {| class="wikitable" |- ! '''Missing image'''<br />''Icon-admonition-tip.png'' <br />Tip<br /><br /> | For a more detailed description of the format and contents of the partitions see [https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Partitioning_and_Filesystem_Details Xbox Partitioning and Filesystem Details].|} 6880700ca09084ad41fdc5b839aa97bf9405ed8f 5624 5601 2017-05-31T10:00:43Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Partitioning}} by ''Michael Steil'' (original version: 8 May 2002) The Xbox uses a hard disk partitioning scheme that is hardwired into the kernel. The hard disk consists of a header, 3 game cache partitions, a system partition and a data partition: {| class="wikitable" |- ! Offset ! Size ! Description |- | 0&nbsp;MB<br /><code>0x00000000</code> | 0.5&nbsp;MB | '''Disk Config Area''' <br />This partition contains no filesystem. Various configuration data is stored on fixed offsets.<br />Linux device: <code>none</code> |- | 0.5&nbsp;MB<br /><code>0x00000400</code> | 750&nbsp;MB | '''Game Cache A''' (Drive X:)<br />FATX volume containing temporary data of a game for faster access.<br />Linux device: <code>/dev/hda52</code> |- | 750.5&nbsp;MB<br /><code>0x00177400</code> | 750&nbsp;MB | '''Game Cache B''' (Drive Y:)<br />Linux device: <code>/dev/hda53</code> |- | 1500.5&nbsp;MB<br /><code>0x002EE400</code> | 750&nbsp;MB | '''Game Cache C''' (Drive Z:)<br />Linux device: <code>/dev/hda54</code> |- | 2250.5&nbsp;MB<br /><code>0x00465400</code> | 500&nbsp;MB | '''System Files''' (Drive C:)<br />FATX volume containing menu code, graphics, sound, DVD player, music import,&nbsp;...<br />Linux device: <code>/dev/hda51</code> |- | 2750.5&nbsp;MB<br /><code>0x0055F400</code> | 4895&nbsp;MB | '''Data''' (Drive E:)<br />FATX volume containing saved games and imported CD audio tracks.<br />Linux device: <code>/dev/hda50</code> |- ! ! ! '''Non-Standard partitions on disks &gt;8GB''' |- | 7645.5&nbsp;MB<br /><code>0x00EE8AB0</code> | 1896&nbsp;MB<br />- 130&nbsp;GB | '''Unused/Additional''' (Drive F:)<br />The first xboxes had a 8GB disk, later versions came with a 10GB disk. This the space difference between the two and not used. Some tools allow it to be used as additional FATX filesystem<br />Linux device: <code>/dev/hda55</code> (only present if signature of formatted FATX found)<br />Linux assumes that all remaining space on the disk belongs to this partition unless another FATX filesystem is detected at the LBA28 boundary. See below. |- | 137&nbsp;GB<br /><code>0x0FFFFFFF</code> | remaining space | '''LBA28''' (Drive G:)<br />If you install a very big disk some tools are limited by the LBA24 boundary. The drive G allows this space to be used in a separate drive, only accessible to LBA48 capable tools and BIOS'es.<br />Linux device: <code>/dev/hda56</code> (only present if signature of formatted FATX found at LBA24 boundary)<br />Linux assumes that all remaining space on the disk belongs to this partition. |} This table has been completed by Markus Baertschi with lots of stuff. There might be errors and misconceptions, caveat emptor&nbsp;! {| class="wikitable" |- ! '''Missing image'''<br />''Icon-admonition-tip.png'' <br />Tip<br /><br /> | For a more detailed description of the format and contents of the partitions see [https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Partitioning_and_Filesystem_Details Xbox Partitioning and Filesystem Details].|} fcede4beee473dfe575bf9718a4c5844e199ea52 6 3783 5602 2017-05-31T09:09:43Z JayFoxRox 2 From Tango, CC0 wikitext text/x-wiki From Tango, CC0 db8a784ad710325c2d825bafdee0a0f1fb193a24 6 3784 5603 2017-05-31T09:09:59Z JayFoxRox 2 From Tango, CC0 wikitext text/x-wiki From Tango, CC0 db8a784ad710325c2d825bafdee0a0f1fb193a24 6 3785 5604 2017-05-31T09:10:11Z JayFoxRox 2 From Tango, CC0 wikitext text/x-wiki From Tango, CC0 db8a784ad710325c2d825bafdee0a0f1fb193a24 6 3786 5605 2017-05-31T09:10:24Z JayFoxRox 2 From Tango, CC0 wikitext text/x-wiki From Tango, CC0 db8a784ad710325c2d825bafdee0a0f1fb193a24 0 3787 5606 2017-05-31T09:12:12Z Espes 2484 Created page with "Retrieved from [https://web.archive.org/web/20100617022549/http://www.xbox-linux.org/wiki/PIC] by ''Georg Lukas, Michael Steil, Jeff Mears'', 26 June 2002 Little is known ab..." wikitext text/x-wiki Retrieved from [https://web.archive.org/web/20100617022549/http://www.xbox-linux.org/wiki/PIC] by ''Georg Lukas, Michael Steil, Jeff Mears'', 26 June 2002 Little is known about how to program the PIC. Basically, the PIC is an independent 16 bit microprocessor with its own RAM and I/O lines, connected to the CPU through the SMBus. Its own firmware makes it possible for the PIC to be talked to on a very high level. Flashing of the LED, for instance, is completely controlled by the PIC. ==Command overview== {| class="wikitable" |- | '''Command''' | '''Description''' |- | 0x01 | PIC version string |- | 0x03 | tray state |- | 0x04 | A/V Pack state |- | 0x09 | CPU temperature (C) |- | 0x0A | board temperature (C) |- | 0x0F | reads scratch register written with 0x0E |- | 0x10 | current fan speed (0~50) |- | 0x11 | interrupt reason |- | 0x18 | reading this reg locks up xbox in "overheated" state |- | 0x1B | scratch register for the original kernel |- | 0x1C | random number for boot challenge |- | 0x1D | random number for boot challenge |- | 0x1E | random number for boot challenge |- | 0x1F | random number for boot challenge |} <br /> <br /> '''Writing:''' <br /> {| class="wikitable" |- | '''Command''' | '''Description''' |- | 0x01 | PIC version string counter reset |- | 0x02 | reset and power off control |- | 0x05 | power fan mode (0 = automatic; 1 = custom speed from reg 0x06) |- | 0x06 | power fan speed (0..~50) |- | 0x07 | LED mode (0 = automatic; 1 = custom sequence from reg 0x08) |- | 0x08 | LED flashing sequence |- | 0x0C | tray eject (0 = eject; 1 = load) |- | 0x0E | another scratch register? seems like an error code. |- | 0x19 | reset on eject (0 = enable; 1 = disable) |- | 0x1A | interrupt enable (write 0x01 to enable; can't disable once enabled) |- | 0x1B | scratch register for the original kernel |- | 0x20 | response to PIC challenge (written first) |- | 0x21 | response to PIC challenge (written second) |} ==PIC version string== The PIC version can be read from register 0x01 as a 3-character ASCII string. Each time you read that register, the next of the 3 characters is returned. It repeats after the third read. Also, the counter can be reset to the first letter by writing 0x00 to this register. Some Xboxes have the letters "SMC P01" physically etched into the top of the PIC, and some have it on a sticker. The P01 is the version number. The following table shows known PIC versions: <br /> {| class="wikitable" |- | '''Version''' | '''Hex''' | '''Description''' |- | P01 | 50 30 31 | retail xbox 1.0 |- | P05 | 50 30 35 | retail xbox 1.1 |- | DXB | 44 58 42 | debug kit |} ==Reset and Power Off== The PIC controls the power system of the Xbox. To reset or power off the system, you write a request to register 0x02. Since the PIC takes some time to respond, you should do a cli/hlt loop after writing to the PIC. These are the values you can use (this is NOT a bitfield): {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x01 | resets the system and all hardware |- | 0x40 | power cycle: powers off then on (also clears scratch register) |- | 0x80 | power off |} ==The AV Pack== The A/V connector on the xbox rear contains several pins to detect the kind of attached cable. In the PIC there is a register (0x04), where this information can be read out by software. The following values are known: {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x00 | SCART |- | 0x01 | HDTV |- | 0x02 | VGA |- | 0x03 | RFU |- | 0x04 | S-Video |- | 0x05 | undefined |- | 0x06 | standard |- | 0x07 | missing/disconnected |} ==The LED== The PIC has its own timer to flash the LEDs: The LED color goes through four phases, 0 to 3. In each phase, the color of the LED can be different. The LED can be off, red, green, or, by turning on both red and green, orange. All the CPU has to do to make the PIC control the LED in a specified way is to transmit a byte containing the color sequence to it. The PIC, by default, manages the LEDs itself. While the system is on, the LED normally is solid green. But when you hit eject, the PIC causes the LED to flash green. To override this, and control the LEDs as desired, you must write 0x01 to register 0x07 after writing your color sequence to 0x08. Each phase consists of two bits, one for red and one for green, so four phases fit into a byte. Thus, the control byte looks as follows: {| class="wikitable" |- | '''Bit #''' | '''Description''' |- | 7 | Red (Phase 0) |- | 6 | Red (Phase 1) |- | 5 | Red (Phase 2) |- | 4 | Red (Phase 3) |- | 3 | Green (Phase 0) |- | 2 | Green (Phase 1) |- | 1 | Green (Phase 2) |- | 0 | Green (Phase 3) |} To set an LED code, the command code 0x08 and the LED code as data must to be sent to I2C device 0x20, followed by the command code 0x07 with a 0x01 as data, both in byte mode. <pre> SMBusWriteCommand(0x20, 8, false, states); SMBusWriteCommand(0x20, 7, false, 1); </pre> <br /> These are some example settings: {| class="wikitable" |- | '''Code''' | '''Binary''' | '''Description''' |- | 0x00 | 00000000 | Off |- | 0xF0 | 11110000 | Solid red |- | 0x0F | 00001111 | Solid green |- | 0xFF | 11111111 | Solid orange |- | 0xC0 | 11000000 | Slow red flashing |- | 0xA0 | 10100000 | Fast red flashing |- | 0x63 | 01100011 | Off - red - orange - green flashing |} You can use the blink tool available from CVS as a frontend for this: # blink ABCD <br /> ABCD are the LED states for the four phases, possible values for every state are: {| class="wikitable" |- | '''Value''' | '''Description''' |- | r | red |- | g | green |- | o | orange (red+green) |- | x | off |} If you want to make it slowly switch red/green, run blink rrgg, fast orange blinking can be achieved with blink oxox. ==Interrupt reasons== The PIC sets the interrupt reason register (0x11) with a bitmask of the following values to indicate to the operating system why the interrupt occurred: {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x01 | power button pressed |- | 0x10 | A/V Pack removed |- | 0x20 | eject button pressed |} ==Scratch register values== The original kernel uses this register (0x1B) to "remember" some information across a reboot, and interprets its contents after rebooting. The PIC itself probably makes no interpretation of this register. The register is a bitmask with the following values: {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x01 | eject after boot |- | 0x02 | display error message after boot |- | 0x04 | skip boot animation |- | 0x08 | run dashboard no matter what |} ==PIC Challenge (regs 0x1C~0x21)== To try to thwart any attempt to hijack the entire boot process by bypassing the MCPX, the PIC does a security check on the booting ROM. After reset, the PIC gives the CPU about 250 ms to respond to a cryptographic challenge before the system is reset. The PIC generates four random(?) bytes, read from registers 0x1C~0x1F. To disable the countdown, you hash these four bytes and write the result to 0x20 and 0x21. Details of this process are given [https://web.archive.org/web/20100617022549/http://www.xbox-linux.org/docs/pichandshake.html here] . On a "Debug Kit" (PIC version "DXB"), registers 0x1C~0x1F all return a value of 0x00. It is unknown whether the challenge system is active at all on these machines. <hr /> (original version: [https://web.archive.org/web/20100617022549/http://www.xbox-linux.org/docs/smc.html]) c117f1bcd368bc49e41dd5e1a3a2a07b1b12ad80 5623 5606 2017-05-31T10:00:10Z JayFoxRox 2 wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617022549/http://www.xbox-linux.org/wiki/PIC|ours=SMC}} by ''Georg Lukas, Michael Steil, Jeff Mears'', 26 June 2002 Little is known about how to program the PIC. Basically, the PIC is an independent 16 bit microprocessor with its own RAM and I/O lines, connected to the CPU through the SMBus. Its own firmware makes it possible for the PIC to be talked to on a very high level. Flashing of the LED, for instance, is completely controlled by the PIC. ==Command overview== {| class="wikitable" |- | '''Command''' | '''Description''' |- | 0x01 | PIC version string |- | 0x03 | tray state |- | 0x04 | A/V Pack state |- | 0x09 | CPU temperature (C) |- | 0x0A | board temperature (C) |- | 0x0F | reads scratch register written with 0x0E |- | 0x10 | current fan speed (0~50) |- | 0x11 | interrupt reason |- | 0x18 | reading this reg locks up xbox in "overheated" state |- | 0x1B | scratch register for the original kernel |- | 0x1C | random number for boot challenge |- | 0x1D | random number for boot challenge |- | 0x1E | random number for boot challenge |- | 0x1F | random number for boot challenge |} <br /> <br /> '''Writing:''' <br /> {| class="wikitable" |- | '''Command''' | '''Description''' |- | 0x01 | PIC version string counter reset |- | 0x02 | reset and power off control |- | 0x05 | power fan mode (0 = automatic; 1 = custom speed from reg 0x06) |- | 0x06 | power fan speed (0..~50) |- | 0x07 | LED mode (0 = automatic; 1 = custom sequence from reg 0x08) |- | 0x08 | LED flashing sequence |- | 0x0C | tray eject (0 = eject; 1 = load) |- | 0x0E | another scratch register? seems like an error code. |- | 0x19 | reset on eject (0 = enable; 1 = disable) |- | 0x1A | interrupt enable (write 0x01 to enable; can't disable once enabled) |- | 0x1B | scratch register for the original kernel |- | 0x20 | response to PIC challenge (written first) |- | 0x21 | response to PIC challenge (written second) |} ==PIC version string== The PIC version can be read from register 0x01 as a 3-character ASCII string. Each time you read that register, the next of the 3 characters is returned. It repeats after the third read. Also, the counter can be reset to the first letter by writing 0x00 to this register. Some Xboxes have the letters "SMC P01" physically etched into the top of the PIC, and some have it on a sticker. The P01 is the version number. The following table shows known PIC versions: <br /> {| class="wikitable" |- | '''Version''' | '''Hex''' | '''Description''' |- | P01 | 50 30 31 | retail xbox 1.0 |- | P05 | 50 30 35 | retail xbox 1.1 |- | DXB | 44 58 42 | debug kit |} ==Reset and Power Off== The PIC controls the power system of the Xbox. To reset or power off the system, you write a request to register 0x02. Since the PIC takes some time to respond, you should do a cli/hlt loop after writing to the PIC. These are the values you can use (this is NOT a bitfield): {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x01 | resets the system and all hardware |- | 0x40 | power cycle: powers off then on (also clears scratch register) |- | 0x80 | power off |} ==The AV Pack== The A/V connector on the xbox rear contains several pins to detect the kind of attached cable. In the PIC there is a register (0x04), where this information can be read out by software. The following values are known: {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x00 | SCART |- | 0x01 | HDTV |- | 0x02 | VGA |- | 0x03 | RFU |- | 0x04 | S-Video |- | 0x05 | undefined |- | 0x06 | standard |- | 0x07 | missing/disconnected |} ==The LED== The PIC has its own timer to flash the LEDs: The LED color goes through four phases, 0 to 3. In each phase, the color of the LED can be different. The LED can be off, red, green, or, by turning on both red and green, orange. All the CPU has to do to make the PIC control the LED in a specified way is to transmit a byte containing the color sequence to it. The PIC, by default, manages the LEDs itself. While the system is on, the LED normally is solid green. But when you hit eject, the PIC causes the LED to flash green. To override this, and control the LEDs as desired, you must write 0x01 to register 0x07 after writing your color sequence to 0x08. Each phase consists of two bits, one for red and one for green, so four phases fit into a byte. Thus, the control byte looks as follows: {| class="wikitable" |- | '''Bit #''' | '''Description''' |- | 7 | Red (Phase 0) |- | 6 | Red (Phase 1) |- | 5 | Red (Phase 2) |- | 4 | Red (Phase 3) |- | 3 | Green (Phase 0) |- | 2 | Green (Phase 1) |- | 1 | Green (Phase 2) |- | 0 | Green (Phase 3) |} To set an LED code, the command code 0x08 and the LED code as data must to be sent to I2C device 0x20, followed by the command code 0x07 with a 0x01 as data, both in byte mode. <pre> SMBusWriteCommand(0x20, 8, false, states); SMBusWriteCommand(0x20, 7, false, 1); </pre> <br /> These are some example settings: {| class="wikitable" |- | '''Code''' | '''Binary''' | '''Description''' |- | 0x00 | 00000000 | Off |- | 0xF0 | 11110000 | Solid red |- | 0x0F | 00001111 | Solid green |- | 0xFF | 11111111 | Solid orange |- | 0xC0 | 11000000 | Slow red flashing |- | 0xA0 | 10100000 | Fast red flashing |- | 0x63 | 01100011 | Off - red - orange - green flashing |} You can use the blink tool available from CVS as a frontend for this: # blink ABCD <br /> ABCD are the LED states for the four phases, possible values for every state are: {| class="wikitable" |- | '''Value''' | '''Description''' |- | r | red |- | g | green |- | o | orange (red+green) |- | x | off |} If you want to make it slowly switch red/green, run blink rrgg, fast orange blinking can be achieved with blink oxox. ==Interrupt reasons== The PIC sets the interrupt reason register (0x11) with a bitmask of the following values to indicate to the operating system why the interrupt occurred: {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x01 | power button pressed |- | 0x10 | A/V Pack removed |- | 0x20 | eject button pressed |} ==Scratch register values== The original kernel uses this register (0x1B) to "remember" some information across a reboot, and interprets its contents after rebooting. The PIC itself probably makes no interpretation of this register. The register is a bitmask with the following values: {| class="wikitable" |- | '''Value''' | '''Description''' |- | 0x01 | eject after boot |- | 0x02 | display error message after boot |- | 0x04 | skip boot animation |- | 0x08 | run dashboard no matter what |} ==PIC Challenge (regs 0x1C~0x21)== To try to thwart any attempt to hijack the entire boot process by bypassing the MCPX, the PIC does a security check on the booting ROM. After reset, the PIC gives the CPU about 250 ms to respond to a cryptographic challenge before the system is reset. The PIC generates four random(?) bytes, read from registers 0x1C~0x1F. To disable the countdown, you hash these four bytes and write the result to 0x20 and 0x21. Details of this process are given [https://web.archive.org/web/20100617022549/http://www.xbox-linux.org/docs/pichandshake.html here] . On a "Debug Kit" (PIC version "DXB"), registers 0x1C~0x1F all return a value of 0x00. It is unknown whether the challenge system is active at all on these machines. <hr /> (original version: [https://web.archive.org/web/20100617022549/http://www.xbox-linux.org/docs/smc.html]) 20866a3e8ce7c34fc29c73736c4f19f581ae70de 10 3788 5610 2017-05-31T09:14:13Z JayFoxRox 2 Created page with "[[File:Media-cdrom.svg.png|16px]] {{{1}}}" wikitext text/x-wiki [[File:Media-cdrom.svg.png|16px]] {{{1}}} 91f27c232c1a04450c6e95677a850cfb71056cdb 0 3679 5612 5024 2017-05-31T09:17:57Z JayFoxRox 2 /* 185a6100 */ wikitext text/x-wiki The files on the Xbox look something like this (file sizes and MD5 checksums included): <pre> C Audio AmbientAudio AMB_05_ENGINEROOM_LR.wav 5562348 565b84c327ef10b4854db6d3c943078e AMB_06_COMMUNICATION_LR.wav 5412228 767c124d7260a8c0072ed21fb2d46915 AMB_12_HYDROTHUNDER_LR.wav 6447588 8fe6214758f24524ea7af2f3a30258a0 AMB_EC_Pinger1.wav 1259412 076eb4b27b9ff381a8e188898975fb4d AMB_EC_Steam1.wav 656484 43ac56a62ed8459239b97a39e665af2f AMB_EC_Steam2.wav 943836 337bc7e89097d2b3ddcdb0eab0a92e13 AMB_EC_Steam3.wav 516156 88537eaeed16c6a4475d3b3738623aab AMB_EC_Steam4.wav 746556 b0916cc4d6668a9771afd01496f4e9d7 AMB_EC_Steam5.wav 737340 552e8c32ea1a04f69e98859e56077f1b AMB_EC_Steam6.wav 534588 f4cbc9d9a4f32adf2844ab97df798c76 AMB_EC_Steam7.wav 1021884 f041eb53748e5d47410a188c6e280b15 AMB_EC_Voices1.wav 307932 741c2d6d63ba0b3b464ea5b6b318cdbc AMB_EC_Voices10.wav 525372 28a17555fa442249cbd7861e80bcf5ac AMB_EC_Voices11.wav 313404 1b97f1b14fcab2201da745ed4f44e491 AMB_EC_Voices12.wav 672828 80c65f6b627b259796927adc6dde86f6 AMB_EC_Voices13.wav 362580 026576c28474118b04cc4a09fb6b5480 AMB_EC_Voices2.wav 307644 b3de08af73e56f93c10147e0b7f3bc57 AMB_EC_Voices3.wav 695292 ce594325ac41b2d95bea4a1a2a0449b4 AMB_EC_Voices4.wav 521916 b368c2a8995b000c340d3e1408e0fdc5 AMB_EC_Voices5.wav 292092 bf018e7ad6d6d4531753ef7ea0a1d16e AMB_EC_Voices6.wav 709692 be2f2d7447cb69309595e115f72e5500 AMB_EC_Voices7.wav 502332 1fb09252f8ac69036351661f653da142 AMB_EC_Voices8.wav 313404 aa2849ce3b7df30ffc894322f83a7497 AMB_EC_Voices9.wav 691260 4ff4887384d0d5697df491ea9ce6b51b comm static 1.wav 39012 4820878be0a0c67e2e2bfd1a82e9af60 comm static 2.wav 71052 6db8cae9fd2a8a7cf8fa9d3abe53ea1d comm static 3.wav 104172 2abe2439e393432e6ae4d596c283690c comm static 4.wav 93948 5e00320ced41a87a79aedc7ceaf5d57c comm voice 1.wav 189636 0b208c6775907edc63a65054fc807af5 comm voice 2.wav 196116 7af4f6576c1714391f1aa4a8b0100ca5 comm voice 3.wav 241044 08781a9e45eac3df26142d8478eb684d comm voice 4.wav 69036 948c41545db45969e71c0a5e7614a22f comm voice 5.wav 116484 d67a914b933f85f513f4d8e44d09980a comm voice 6.wav 83796 1f595aeaef1bdfb501a91de7638fe28f comm voice 7.wav 81852 b2b9fa426e3237ddeb79f0536869eca2 comm voice 8.wav 178620 df652e1d62a8b33af6a47acffb4fcadb comm voice 9.wav 110076 39b0f0a3d6d5ec10055b68e602b8675c Control Room Loop ver2.wav 543732 093c1519cb6bd6d6d3930d3f774b3485 Control Room Loop.wav 541860 0f23001b0319a568ac862ec7a1f5ee6f MainAudio Global A Button Select.wav 18708 895b82ec5a33bc8a786e2a690a734de3 Global B Button Back.wav 18708 45e2b8b11534d2da41900fa5ef5418f4 Global Completion Beep.wav 12012 2aa770f713594310639ec15ebf2695af Global Delete_Destroy.wav 41820 cdefc6e08f772d2c4ab77a564dc50183 Global Error Message B.wav 14964 dade2d5ecb0b754ec69d4bb4e887d42e Global Keyboard Stroke 1.wav 7044 e7662531b5b05431966732cb76a6fffa Global Keyboard Stroke 2.wav 11220 b516137d9257d3b975f6d9ad82b75750 Global Main MenuBack3ver2.wav 32892 b825773a71e8d3655bd8998cbbb424f4 Global Main MenuFwd3ver2.wav 24108 e5035e8fb6d1d16c16c1fda2a3339153 Global Progress Bar.wav 235356 d9820e39524a3b37e982fa77004655be Global Scroll Beep.wav 1572 67bc6aba697a1eb2714d8eda84da0405 MemoryAudio Memory Controller Select.wav 15828 54e676b7ff4dcdd295fabf1dfb9290e5 Memory Games Select.wav 45348 9e95263f0767a62119aa38e668248957 Memory Memory Slot Select.wav 12084 bb86674f7a85e0bf6d9dfb569cfcead4 MusicAudio Games Info Screen In MSurr.wav 63348 17a245d749339571cdc0fb9524a0ba20 Games Info Screen In.wav 63348 b02a19fcbbbe8f394c79c560e67fbeb6 Games Info Screen Out MSurr.wav 71052 c8a81e0046acbc0ce5712f7621422b5b Games Info Screen Out.wav 5964 2080b7f318e72e06c8e3c8a03656d03c Music CD Select.wav 30300 1104afb43a6aec2b678cda13befa811e SettingsAudio Settings Lang SubMenu Sel.wav 161340 73a89aab381849b9a51bf097293e9449 Settings Parent SubMenu Sel.wav 21372 74a51e1d0634f2a25585389c77b3dd63 TransitionAudio Games Main Menu In_LR.wav 72132 4ebfcf1125ace7e7417e513cf55faf84 Games Main Menu Out_LR.wav 75444 9f1e83b02961528a8920693ba2654a24 Games Sub Menu In_LR.wav 74220 8be59cc1ea9dd4c1349e446554a9e50c Games Sub Menu Out_LR.wav 83148 0d2b3642ed00c68ff26fea337bb21d17 Music Main Menu In_LR.wav 53484 cd9b4b30a8829689be34e10648b89257 Music Main Menu Out_LR.wav 51036 5dcceccf08ae7d4c537a1ad03d1b4d64 Music Select Track In_LR.wav 68388 80af0c1585d8f6fbfd02623182bc8155 Music Select Track Out_LR.wav 68100 e3aa18fd82b3d34df22e34b4fe3d49ed Settings Main Menu In_LR.wav 188844 7553686ac2ab1f1f9c9e16929ffce5ab Settings Main Menu Out_LR.wav 159252 4bc9fbffabb006fcc6d321ee4ba127ee Settings Sub Menu In_LR.wav 97908 2b6b47c092d70ae2ef926ff521b9d3d1 Settings Sub Menu Out_LR.wav 60468 1439f81e8dfab007d9dda12e3b8d34df fonts XBox Book.xtf 14440996 8f5b7cee650f389f1c5c7bb5f70386bb Xbox.xtf 19124720 de4a26c39de8001b95c749f8d3d22128 xboxdashdata.<see versions> AccountSelection.xip 1322518 497f17cc0941611e438093e5af73feb9 default.xip 1619954 c5f0ac7c917ff431739be68528562990 dvd.xip 167045 64feb8f1e5844fc3d4c4a4269677b8a3 jkeyboard.xip 732966 e2d462cd3df9f57a0d572f3229a87b51 Keyboard.xip 658238 c1b2b05a0a47a521d1f7d05ecb566432 LiveToday.xip 1226668 5f33f99506bb687bad95a735c6a9ea80 mainmenu5.xip 2300516 f2e318a54e2a7326c5b42c6def7d64d4 memory_files2.xip 2708134 295fcaec6ad66b14cf51c94d0ac1b999 Memory2.xip 2218462 4c7fcc324216117b8d54a273eb581c29 Message.xip 801609 abd85ff52590e61e0b7081f650175bae music_copy3.xip 1618605 2f7257186e5093b09a1fe5d96716b0c6 Music_PlayEdit2.xip 2593642 628a0c8ce9ee64a6fd3bc339fbb28913 music2.xip 2007578 4979f2dbcf721c1702cde15ed7961800 PasscodeVerify.xip 2813123 f25f5447def27c67d5842bfc0474b28f settings_adoc.xip 4208200 a73817afb22f622fc4c25bbd291db66a Settings_Clock.xip 1684098 c49e21dacb92d81ed18380e4354904e1 settings_language.xip 1429750 cf45a77a9bf6dc972344c6cee48adacc settings_list.xip 2928635 123a550fafb5c08b7a0c4437f7989820 settings_panel.xip 2813123 f25f5447def27c67d5842bfc0474b28f settings_parental.xip 1008362 1ae35811db2ecf5af08695ae8b681e6d settings_timezone.xip 1371154 b148d86596529ae3abaec6bb3185d13b settings_video.xip 1978178 a91d26866b85bf80005a7fc1ba59b442 settings3.xip 2966303 8d6076c0ee3a22646c0764c34296c8b8 WaitCursor.xip 33641 6ccd2d7f083ef995f3f67ce747e289a9 xodash audio LiveNowAudio Friend Offline.wav 54092 41b7a8fe061a1ff2552c9bf1188736f5 Friend Online.wav 54060 81ccfe1005276370c5cbb3e708807b62 Friend Request.wav 52436 d7c8b57e754b761d1b3101b3e709b3dd Game Invite.wav 29396 cd580938613a5407eb8bcaffe2688667 VoiceChatAudio Voice Chat Join.wav 26156 7fb1fe01240795fcbf564dabfad01b21 Voice Chat Leave.wav 37028 8021bcf17888d2803c0e419cffa7dbb5 media Content Japanese coc_jpn.txt 2347 f2feb7aa376a74240926d158dd74d65d ximejpm.dic 250528 b1a7b55b9694ed6a47a2b901415e6fc5 ximejps.dic 188288 83f581a5d8023013de26eb65b1467486 SavedGame SaveImage.xbx 18432 f378f3f8f19f3f679ee6a3a7497e104d TitleImage.xbx 67584 6327fec35dd1abe0c3f33ac5cde11c10 TitleMeta.xbx 800 630de678413ed09e15ae45aa231c1af6 TChinese twroc.dic 55226 48d0d50142126651f6090ec99e00b8c5 Xbg 3_doublebutton.xbg 207993 42b0b013d2c2e5817a3e4c8ab04bffb4 act_accountpin.xbg 653118 fe632805e6d6729e7e442fc96771a7d9 act_activation.xbg 59625 a7db0e486f391ad9101ee7d9a6abe7ca act_admin_policy.xbg 71938 135c297799488b118e93deb8ba6ea44e act_alt_names.xbg 84324 158225c13adae3057c062fb8f6730be7 act_billing.xbg 226372 fb04f93f5afed327400f6dae41a3f4e8 act_congrats.xbg 145440 4f773200049c715436c27cad462d3725 act_copy_delete.xbg 888221 66321645c2e21dc97221946871ad8894 act_country.xbg 184789 11ef5a0db7ff1c4e57c372f5ca8a474c act_forced_name.xbg 70512 b47c0cd89ef89019b8d4fb7e9f29078a act_id.xbg 80213 d7b2f7b2c8444c353a00b61963a37ff0 act_message_server.xbg 241052 6876fb92e1c92afc662562fb99a5abb4 act_new_opt_in.xbg 283121 2997402d4dd252d0746e5790b35abeab act_online.xbg 77774 dbd09ce5f9fd916724997bbe64aa7e6c act_overwrite.xbg 578090 c71ca452229dcd95bfee26b7d9424f3a act_passcode.xbg 722464 81526772f069a1c81b76254399fb8666 act_restrictions.xbg 198867 ecbfd5abe9bde3f28e7e21722c85e47c act_state.xbg 797805 1f2a1cacb023ac3c754d9548a38e8039 act_sub_3button.xbg 158866 112821cc587d1ad4cc99fa0d0a917273 act_sure.xbg 65137 5c1540d7ccec2c6607c8b0510f8f825a act_user_options.xbg 185180 e496c0538f2b825186b00e30f5709931 act_users2.xbg 88313 12ce8b2ae9d7d450660b7de5aebcaaf8 addfriend.xbg 1890765 f6bf945bea8ef86d593109b2d1866b89 anim_connecting.xbg 1034604 d414eabc933dc46e64b3703c54b8e574 anim_wait_5.xbg 25575 007a7e8f3f4b262414100cc48d8cbdb0 backbutton.xbg 81349 6b894fe7c6392836808dc6230bd7b0d0 bud_actions.xbg 146828 dbc004a2b3081507ae2c2efed71fb4a3 cellwall.xbg 190846 219a43d501df170e4affcae9e4b35e92 contextual.xbg 1937307 007ac7c3ddedad86a662bc9b115d1f00 feedback.xbg 1929240 d26e11eb96b135eac630dfcee1b7e5fb friends.xbg 2224276 afae13fb39cc559c24c85262509e888e gen_dob_tumblers.xbg 1276515 83c24a1a6ed4f405dc0caad816a0a204 gen_exp_tumblers.xbg 1262446 9e4d5fd47c810132f42bf9bc173a1908 gen_large_panel.xbg 210906 814dfbf474a031ab82f6271a4c0648db gen_mess_panel.xbg 347851 397c04b140e03b293b1a104e540d73fc j_candidates.xbg 254619 060728bbf7498173420a45be61b7c339 j_keyboard.xbg 737322 88c480d6b5ab9feb95b3e906760e2373 k_keyboard.xbg 426877 6388aede82d338db42b55752aa5b9d06 keyboard.xbg 375657 873fbf9ec6585103346bf0a381f95d93 keypad.xbg 202889 decf2d76e67af781ad34c220be6308f8 nts_dns.xbg 192159 bd54bc1e4246605937a828b3b6278a95 nts_ip.xbg 202623 9e100d8c7029c20cfc9bd7ee0fa6bc65 nts_settings.xbg 216718 512de7f31ef378651a5e783965ea7f24 nts_status.xbg 181806 0a0d4a2ed3c61c86258d6d3ae3fe3837 nts_wireless.xbg 231935 82a12b613465f617c90c7fdce118adef orb_master.xbg 348747 c259f4d1276582d32044826f6d88cedc selectbutton.xbg 73523 bf0fcf1cde1d1aa92b7335ab5d8c10a3 t_keyboard.xbg 405161 912e6bd830337868cb9b51d30c8c0121 voicechat.xbg 2327218 dd2e8dcea71fc8fa661daa7d6c9b0f6d voicemail.xbg 1948139 662585947a38eff1b5e74e871ea4d5be Xbx button.xbx 10240 fc14f24784a74a5d48004e48880086cb cellwall.xbx 67584 ff23d97f5263ee657cdd7d528bb1c95e darken_opacity.xbx 18432 7f24ebbab4f77fe612d0dd9491001e49 Disabled.xbx 10240 6d8da8de70e262767600d2b84eec43c2 disabled_highlight.xbx 6144 64f4dd2e2f5539ad6a11417abe0ef336 footer.xbx 34816 6a2124d31b374d9c3f426436aec35161 GameHilite_01.xbx 6144 c4fa23bce07f08dd360565d9b267b0b0 highlight.xbx 10240 1e99278554e5d4a0e42b808ebd833385 keyboard_alpha.xbx 18432 65553de7e37186f96942948cbe4639b9 Live_header.xbx 34816 fc46134b8dd7abf183e1d466d5afe6bf live_highlight_disabled.xbx 10240 5a2da8c4c763cdcf6ab7c23deaa64205 LiveChrome.xbx 67584 f64b49852005cc389d205ea1de8d1048 mess_panel_backing.xbx 18432 24459f91d4de55a521d2c75da81ac7de Options.xbx 18432 9e442a174906ef3e06c04c5cd43b6ddd panel1.xbx 18432 7ef04f5b0d0ce60e9ac385d5734d35a3 panel10.xbx 10240 2852c18e0b898a0cd0f74d957d1c4e1f panel11.xbx 18432 188290082b02fc03a2656ffdc131f309 panel12.xbx 18432 bf234eb3313b4af0f04a7eea816b0819 panel13.xbx 18432 c465aaacf64ff98d7e5c7501f15df4cd panel14.xbx 18432 5b52636f2ae781df267c27ba4f1fa1f4 panel15.xbx 10240 43ce1530ac07161c65b1ff5d02ddaf07 panel16.xbx 18432 1c35588436ba6d4a437fb1d22e8ed029 panel17.xbx 10240 7b9d574182f87b7c8bb9b1f16d07a234 panel18.xbx 18432 192a162567836159e44355a13b108ec6 panel19.xbx 18432 3d205c154cd434ae46009670b8a5c830 panel2.xbx 18432 4958bbd39d6adc867a323bd14e7fedfb panel20.xbx 18432 70fcee44a106f94f3d505b8fe36e89bd panel3.xbx 18432 7ddc37a40c11f91c4f5709275753682c panel4.xbx 18432 54ca9e18cadcabd704eff52270cf5aef panel5.xbx 18432 9a92cefceb843e4b634ef4862b2838f0 panel6.xbx 18432 5220d145a2d73f10018f822b746a33f9 panel7.xbx 18432 0fb78b53c5b037f006342a10f13447f5 panel8.xbx 18432 212a8b96d91eaab3788d33ea3f0f99d0 panel9.xbx 18432 25b985d4c995f4898ea1c3344cf0d2f0 Plain_header.xbx 34816 494a987d8bf0000ff972ec0926aa08dd pulse_3D_64_matte_trans.xbx 4096 7d9b93b859d90f855dbb0a17170821bc Pulse1.xbx 34816 364898b79abf0110779b849a4df38154 ridges.xbx 34816 caabfdb8e5aa2390d001d60247ff3b72 wireframe.xbx 10240 48468dbefff5fb21d52f8b66418a89f2 xbox2.xbx 264192 e86870b16246b4399a86c592a1f87b3b xbox4.xbx 67584 67f33ec44e706a322e2550a342340a3c xboxlogo.xbx 264192 77cf58d065229b28edda8b08709ac31d xboxlogow.xbx 264192 c4816fb72fe27cd18bb04a109b9facd1 update.xbe 2260992 <see versions> xonlinedash.xbe 2617344 <see versions> XBox Book.xtf 17068868 54751950aa215228a4915955f7d2ce0c Xbox.xtf 15613736 0466dd6c19ec9c1785e8aadfc8c5269e xboxdash.xbe 1961984 <see versions> E TDATA UDATA </pre> I have seen a few differences. I thought all my Xboxs had the same dashboard version, but I have 2 slightly different versions of files: == 185ead00 == Here are the differences for this dashboard <pre> C xboxdashdata.185ead00 xodash update.xbe 2260992 bc99ef8730158ba1bf3f1c9c84520661 xonlinedash.xbe 2617344 8149654a030d813bcc02a24f39fd3ce9 xboxdash.xbe 1961984 08d3a6f99184679aa13008d6397bacce </pre> == 185a6100 == Here are the differences for this dashboard * {{fs-drive|C:}} ** {{fs-folder|xboxdashdata.185a6100}} ** {{fs-folder|xodash}} *** {{fs-file|update.xbe|size=2260992|hash=78ad0f3f0cb83010728e00457a778121}} *** {{fs-file|xonlinedash.xbe|size=2617344|hash=01dd6c8aa72b473ba1523c73c6527d86}} ** {{fs-file|xboxdash.xbe|size=1961984|hash=1fa397b44ec78965ef955539fd8f4fbd}} 5ed4dde0cbfc7033c4fcdcc04304941a76cb569a 5613 5612 2017-05-31T09:20:51Z JayFoxRox 2 /* 185ead00 */ wikitext text/x-wiki The files on the Xbox look something like this (file sizes and MD5 checksums included): <pre> C Audio AmbientAudio AMB_05_ENGINEROOM_LR.wav 5562348 565b84c327ef10b4854db6d3c943078e AMB_06_COMMUNICATION_LR.wav 5412228 767c124d7260a8c0072ed21fb2d46915 AMB_12_HYDROTHUNDER_LR.wav 6447588 8fe6214758f24524ea7af2f3a30258a0 AMB_EC_Pinger1.wav 1259412 076eb4b27b9ff381a8e188898975fb4d AMB_EC_Steam1.wav 656484 43ac56a62ed8459239b97a39e665af2f AMB_EC_Steam2.wav 943836 337bc7e89097d2b3ddcdb0eab0a92e13 AMB_EC_Steam3.wav 516156 88537eaeed16c6a4475d3b3738623aab AMB_EC_Steam4.wav 746556 b0916cc4d6668a9771afd01496f4e9d7 AMB_EC_Steam5.wav 737340 552e8c32ea1a04f69e98859e56077f1b AMB_EC_Steam6.wav 534588 f4cbc9d9a4f32adf2844ab97df798c76 AMB_EC_Steam7.wav 1021884 f041eb53748e5d47410a188c6e280b15 AMB_EC_Voices1.wav 307932 741c2d6d63ba0b3b464ea5b6b318cdbc AMB_EC_Voices10.wav 525372 28a17555fa442249cbd7861e80bcf5ac AMB_EC_Voices11.wav 313404 1b97f1b14fcab2201da745ed4f44e491 AMB_EC_Voices12.wav 672828 80c65f6b627b259796927adc6dde86f6 AMB_EC_Voices13.wav 362580 026576c28474118b04cc4a09fb6b5480 AMB_EC_Voices2.wav 307644 b3de08af73e56f93c10147e0b7f3bc57 AMB_EC_Voices3.wav 695292 ce594325ac41b2d95bea4a1a2a0449b4 AMB_EC_Voices4.wav 521916 b368c2a8995b000c340d3e1408e0fdc5 AMB_EC_Voices5.wav 292092 bf018e7ad6d6d4531753ef7ea0a1d16e AMB_EC_Voices6.wav 709692 be2f2d7447cb69309595e115f72e5500 AMB_EC_Voices7.wav 502332 1fb09252f8ac69036351661f653da142 AMB_EC_Voices8.wav 313404 aa2849ce3b7df30ffc894322f83a7497 AMB_EC_Voices9.wav 691260 4ff4887384d0d5697df491ea9ce6b51b comm static 1.wav 39012 4820878be0a0c67e2e2bfd1a82e9af60 comm static 2.wav 71052 6db8cae9fd2a8a7cf8fa9d3abe53ea1d comm static 3.wav 104172 2abe2439e393432e6ae4d596c283690c comm static 4.wav 93948 5e00320ced41a87a79aedc7ceaf5d57c comm voice 1.wav 189636 0b208c6775907edc63a65054fc807af5 comm voice 2.wav 196116 7af4f6576c1714391f1aa4a8b0100ca5 comm voice 3.wav 241044 08781a9e45eac3df26142d8478eb684d comm voice 4.wav 69036 948c41545db45969e71c0a5e7614a22f comm voice 5.wav 116484 d67a914b933f85f513f4d8e44d09980a comm voice 6.wav 83796 1f595aeaef1bdfb501a91de7638fe28f comm voice 7.wav 81852 b2b9fa426e3237ddeb79f0536869eca2 comm voice 8.wav 178620 df652e1d62a8b33af6a47acffb4fcadb comm voice 9.wav 110076 39b0f0a3d6d5ec10055b68e602b8675c Control Room Loop ver2.wav 543732 093c1519cb6bd6d6d3930d3f774b3485 Control Room Loop.wav 541860 0f23001b0319a568ac862ec7a1f5ee6f MainAudio Global A Button Select.wav 18708 895b82ec5a33bc8a786e2a690a734de3 Global B Button Back.wav 18708 45e2b8b11534d2da41900fa5ef5418f4 Global Completion Beep.wav 12012 2aa770f713594310639ec15ebf2695af Global Delete_Destroy.wav 41820 cdefc6e08f772d2c4ab77a564dc50183 Global Error Message B.wav 14964 dade2d5ecb0b754ec69d4bb4e887d42e Global Keyboard Stroke 1.wav 7044 e7662531b5b05431966732cb76a6fffa Global Keyboard Stroke 2.wav 11220 b516137d9257d3b975f6d9ad82b75750 Global Main MenuBack3ver2.wav 32892 b825773a71e8d3655bd8998cbbb424f4 Global Main MenuFwd3ver2.wav 24108 e5035e8fb6d1d16c16c1fda2a3339153 Global Progress Bar.wav 235356 d9820e39524a3b37e982fa77004655be Global Scroll Beep.wav 1572 67bc6aba697a1eb2714d8eda84da0405 MemoryAudio Memory Controller Select.wav 15828 54e676b7ff4dcdd295fabf1dfb9290e5 Memory Games Select.wav 45348 9e95263f0767a62119aa38e668248957 Memory Memory Slot Select.wav 12084 bb86674f7a85e0bf6d9dfb569cfcead4 MusicAudio Games Info Screen In MSurr.wav 63348 17a245d749339571cdc0fb9524a0ba20 Games Info Screen In.wav 63348 b02a19fcbbbe8f394c79c560e67fbeb6 Games Info Screen Out MSurr.wav 71052 c8a81e0046acbc0ce5712f7621422b5b Games Info Screen Out.wav 5964 2080b7f318e72e06c8e3c8a03656d03c Music CD Select.wav 30300 1104afb43a6aec2b678cda13befa811e SettingsAudio Settings Lang SubMenu Sel.wav 161340 73a89aab381849b9a51bf097293e9449 Settings Parent SubMenu Sel.wav 21372 74a51e1d0634f2a25585389c77b3dd63 TransitionAudio Games Main Menu In_LR.wav 72132 4ebfcf1125ace7e7417e513cf55faf84 Games Main Menu Out_LR.wav 75444 9f1e83b02961528a8920693ba2654a24 Games Sub Menu In_LR.wav 74220 8be59cc1ea9dd4c1349e446554a9e50c Games Sub Menu Out_LR.wav 83148 0d2b3642ed00c68ff26fea337bb21d17 Music Main Menu In_LR.wav 53484 cd9b4b30a8829689be34e10648b89257 Music Main Menu Out_LR.wav 51036 5dcceccf08ae7d4c537a1ad03d1b4d64 Music Select Track In_LR.wav 68388 80af0c1585d8f6fbfd02623182bc8155 Music Select Track Out_LR.wav 68100 e3aa18fd82b3d34df22e34b4fe3d49ed Settings Main Menu In_LR.wav 188844 7553686ac2ab1f1f9c9e16929ffce5ab Settings Main Menu Out_LR.wav 159252 4bc9fbffabb006fcc6d321ee4ba127ee Settings Sub Menu In_LR.wav 97908 2b6b47c092d70ae2ef926ff521b9d3d1 Settings Sub Menu Out_LR.wav 60468 1439f81e8dfab007d9dda12e3b8d34df fonts XBox Book.xtf 14440996 8f5b7cee650f389f1c5c7bb5f70386bb Xbox.xtf 19124720 de4a26c39de8001b95c749f8d3d22128 xboxdashdata.<see versions> AccountSelection.xip 1322518 497f17cc0941611e438093e5af73feb9 default.xip 1619954 c5f0ac7c917ff431739be68528562990 dvd.xip 167045 64feb8f1e5844fc3d4c4a4269677b8a3 jkeyboard.xip 732966 e2d462cd3df9f57a0d572f3229a87b51 Keyboard.xip 658238 c1b2b05a0a47a521d1f7d05ecb566432 LiveToday.xip 1226668 5f33f99506bb687bad95a735c6a9ea80 mainmenu5.xip 2300516 f2e318a54e2a7326c5b42c6def7d64d4 memory_files2.xip 2708134 295fcaec6ad66b14cf51c94d0ac1b999 Memory2.xip 2218462 4c7fcc324216117b8d54a273eb581c29 Message.xip 801609 abd85ff52590e61e0b7081f650175bae music_copy3.xip 1618605 2f7257186e5093b09a1fe5d96716b0c6 Music_PlayEdit2.xip 2593642 628a0c8ce9ee64a6fd3bc339fbb28913 music2.xip 2007578 4979f2dbcf721c1702cde15ed7961800 PasscodeVerify.xip 2813123 f25f5447def27c67d5842bfc0474b28f settings_adoc.xip 4208200 a73817afb22f622fc4c25bbd291db66a Settings_Clock.xip 1684098 c49e21dacb92d81ed18380e4354904e1 settings_language.xip 1429750 cf45a77a9bf6dc972344c6cee48adacc settings_list.xip 2928635 123a550fafb5c08b7a0c4437f7989820 settings_panel.xip 2813123 f25f5447def27c67d5842bfc0474b28f settings_parental.xip 1008362 1ae35811db2ecf5af08695ae8b681e6d settings_timezone.xip 1371154 b148d86596529ae3abaec6bb3185d13b settings_video.xip 1978178 a91d26866b85bf80005a7fc1ba59b442 settings3.xip 2966303 8d6076c0ee3a22646c0764c34296c8b8 WaitCursor.xip 33641 6ccd2d7f083ef995f3f67ce747e289a9 xodash audio LiveNowAudio Friend Offline.wav 54092 41b7a8fe061a1ff2552c9bf1188736f5 Friend Online.wav 54060 81ccfe1005276370c5cbb3e708807b62 Friend Request.wav 52436 d7c8b57e754b761d1b3101b3e709b3dd Game Invite.wav 29396 cd580938613a5407eb8bcaffe2688667 VoiceChatAudio Voice Chat Join.wav 26156 7fb1fe01240795fcbf564dabfad01b21 Voice Chat Leave.wav 37028 8021bcf17888d2803c0e419cffa7dbb5 media Content Japanese coc_jpn.txt 2347 f2feb7aa376a74240926d158dd74d65d ximejpm.dic 250528 b1a7b55b9694ed6a47a2b901415e6fc5 ximejps.dic 188288 83f581a5d8023013de26eb65b1467486 SavedGame SaveImage.xbx 18432 f378f3f8f19f3f679ee6a3a7497e104d TitleImage.xbx 67584 6327fec35dd1abe0c3f33ac5cde11c10 TitleMeta.xbx 800 630de678413ed09e15ae45aa231c1af6 TChinese twroc.dic 55226 48d0d50142126651f6090ec99e00b8c5 Xbg 3_doublebutton.xbg 207993 42b0b013d2c2e5817a3e4c8ab04bffb4 act_accountpin.xbg 653118 fe632805e6d6729e7e442fc96771a7d9 act_activation.xbg 59625 a7db0e486f391ad9101ee7d9a6abe7ca act_admin_policy.xbg 71938 135c297799488b118e93deb8ba6ea44e act_alt_names.xbg 84324 158225c13adae3057c062fb8f6730be7 act_billing.xbg 226372 fb04f93f5afed327400f6dae41a3f4e8 act_congrats.xbg 145440 4f773200049c715436c27cad462d3725 act_copy_delete.xbg 888221 66321645c2e21dc97221946871ad8894 act_country.xbg 184789 11ef5a0db7ff1c4e57c372f5ca8a474c act_forced_name.xbg 70512 b47c0cd89ef89019b8d4fb7e9f29078a act_id.xbg 80213 d7b2f7b2c8444c353a00b61963a37ff0 act_message_server.xbg 241052 6876fb92e1c92afc662562fb99a5abb4 act_new_opt_in.xbg 283121 2997402d4dd252d0746e5790b35abeab act_online.xbg 77774 dbd09ce5f9fd916724997bbe64aa7e6c act_overwrite.xbg 578090 c71ca452229dcd95bfee26b7d9424f3a act_passcode.xbg 722464 81526772f069a1c81b76254399fb8666 act_restrictions.xbg 198867 ecbfd5abe9bde3f28e7e21722c85e47c act_state.xbg 797805 1f2a1cacb023ac3c754d9548a38e8039 act_sub_3button.xbg 158866 112821cc587d1ad4cc99fa0d0a917273 act_sure.xbg 65137 5c1540d7ccec2c6607c8b0510f8f825a act_user_options.xbg 185180 e496c0538f2b825186b00e30f5709931 act_users2.xbg 88313 12ce8b2ae9d7d450660b7de5aebcaaf8 addfriend.xbg 1890765 f6bf945bea8ef86d593109b2d1866b89 anim_connecting.xbg 1034604 d414eabc933dc46e64b3703c54b8e574 anim_wait_5.xbg 25575 007a7e8f3f4b262414100cc48d8cbdb0 backbutton.xbg 81349 6b894fe7c6392836808dc6230bd7b0d0 bud_actions.xbg 146828 dbc004a2b3081507ae2c2efed71fb4a3 cellwall.xbg 190846 219a43d501df170e4affcae9e4b35e92 contextual.xbg 1937307 007ac7c3ddedad86a662bc9b115d1f00 feedback.xbg 1929240 d26e11eb96b135eac630dfcee1b7e5fb friends.xbg 2224276 afae13fb39cc559c24c85262509e888e gen_dob_tumblers.xbg 1276515 83c24a1a6ed4f405dc0caad816a0a204 gen_exp_tumblers.xbg 1262446 9e4d5fd47c810132f42bf9bc173a1908 gen_large_panel.xbg 210906 814dfbf474a031ab82f6271a4c0648db gen_mess_panel.xbg 347851 397c04b140e03b293b1a104e540d73fc j_candidates.xbg 254619 060728bbf7498173420a45be61b7c339 j_keyboard.xbg 737322 88c480d6b5ab9feb95b3e906760e2373 k_keyboard.xbg 426877 6388aede82d338db42b55752aa5b9d06 keyboard.xbg 375657 873fbf9ec6585103346bf0a381f95d93 keypad.xbg 202889 decf2d76e67af781ad34c220be6308f8 nts_dns.xbg 192159 bd54bc1e4246605937a828b3b6278a95 nts_ip.xbg 202623 9e100d8c7029c20cfc9bd7ee0fa6bc65 nts_settings.xbg 216718 512de7f31ef378651a5e783965ea7f24 nts_status.xbg 181806 0a0d4a2ed3c61c86258d6d3ae3fe3837 nts_wireless.xbg 231935 82a12b613465f617c90c7fdce118adef orb_master.xbg 348747 c259f4d1276582d32044826f6d88cedc selectbutton.xbg 73523 bf0fcf1cde1d1aa92b7335ab5d8c10a3 t_keyboard.xbg 405161 912e6bd830337868cb9b51d30c8c0121 voicechat.xbg 2327218 dd2e8dcea71fc8fa661daa7d6c9b0f6d voicemail.xbg 1948139 662585947a38eff1b5e74e871ea4d5be Xbx button.xbx 10240 fc14f24784a74a5d48004e48880086cb cellwall.xbx 67584 ff23d97f5263ee657cdd7d528bb1c95e darken_opacity.xbx 18432 7f24ebbab4f77fe612d0dd9491001e49 Disabled.xbx 10240 6d8da8de70e262767600d2b84eec43c2 disabled_highlight.xbx 6144 64f4dd2e2f5539ad6a11417abe0ef336 footer.xbx 34816 6a2124d31b374d9c3f426436aec35161 GameHilite_01.xbx 6144 c4fa23bce07f08dd360565d9b267b0b0 highlight.xbx 10240 1e99278554e5d4a0e42b808ebd833385 keyboard_alpha.xbx 18432 65553de7e37186f96942948cbe4639b9 Live_header.xbx 34816 fc46134b8dd7abf183e1d466d5afe6bf live_highlight_disabled.xbx 10240 5a2da8c4c763cdcf6ab7c23deaa64205 LiveChrome.xbx 67584 f64b49852005cc389d205ea1de8d1048 mess_panel_backing.xbx 18432 24459f91d4de55a521d2c75da81ac7de Options.xbx 18432 9e442a174906ef3e06c04c5cd43b6ddd panel1.xbx 18432 7ef04f5b0d0ce60e9ac385d5734d35a3 panel10.xbx 10240 2852c18e0b898a0cd0f74d957d1c4e1f panel11.xbx 18432 188290082b02fc03a2656ffdc131f309 panel12.xbx 18432 bf234eb3313b4af0f04a7eea816b0819 panel13.xbx 18432 c465aaacf64ff98d7e5c7501f15df4cd panel14.xbx 18432 5b52636f2ae781df267c27ba4f1fa1f4 panel15.xbx 10240 43ce1530ac07161c65b1ff5d02ddaf07 panel16.xbx 18432 1c35588436ba6d4a437fb1d22e8ed029 panel17.xbx 10240 7b9d574182f87b7c8bb9b1f16d07a234 panel18.xbx 18432 192a162567836159e44355a13b108ec6 panel19.xbx 18432 3d205c154cd434ae46009670b8a5c830 panel2.xbx 18432 4958bbd39d6adc867a323bd14e7fedfb panel20.xbx 18432 70fcee44a106f94f3d505b8fe36e89bd panel3.xbx 18432 7ddc37a40c11f91c4f5709275753682c panel4.xbx 18432 54ca9e18cadcabd704eff52270cf5aef panel5.xbx 18432 9a92cefceb843e4b634ef4862b2838f0 panel6.xbx 18432 5220d145a2d73f10018f822b746a33f9 panel7.xbx 18432 0fb78b53c5b037f006342a10f13447f5 panel8.xbx 18432 212a8b96d91eaab3788d33ea3f0f99d0 panel9.xbx 18432 25b985d4c995f4898ea1c3344cf0d2f0 Plain_header.xbx 34816 494a987d8bf0000ff972ec0926aa08dd pulse_3D_64_matte_trans.xbx 4096 7d9b93b859d90f855dbb0a17170821bc Pulse1.xbx 34816 364898b79abf0110779b849a4df38154 ridges.xbx 34816 caabfdb8e5aa2390d001d60247ff3b72 wireframe.xbx 10240 48468dbefff5fb21d52f8b66418a89f2 xbox2.xbx 264192 e86870b16246b4399a86c592a1f87b3b xbox4.xbx 67584 67f33ec44e706a322e2550a342340a3c xboxlogo.xbx 264192 77cf58d065229b28edda8b08709ac31d xboxlogow.xbx 264192 c4816fb72fe27cd18bb04a109b9facd1 update.xbe 2260992 <see versions> xonlinedash.xbe 2617344 <see versions> XBox Book.xtf 17068868 54751950aa215228a4915955f7d2ce0c Xbox.xtf 15613736 0466dd6c19ec9c1785e8aadfc8c5269e xboxdash.xbe 1961984 <see versions> E TDATA UDATA </pre> I have seen a few differences. I thought all my Xboxs had the same dashboard version, but I have 2 slightly different versions of files: == 185ead00 == Here are the differences for this dashboard * {{fs-drive|C:}} ** {{fs-folder|xboxdashdata.185ead00}} ** {{fs-folder|xodash}} *** {{fs-file|update.xbe|size=2260992|hash=bc99ef8730158ba1bf3f1c9c84520661}} *** {{fs-file|xonlinedash.xbe|size=2617344|hash=8149654a030d813bcc02a24f39fd3ce9}} ** {{fs-file|xboxdash.xbe|size=1961984|hash=08d3a6f99184679aa13008d6397bacce}} == 185a6100 == Here are the differences for this dashboard * {{fs-drive|C:}} ** {{fs-folder|xboxdashdata.185a6100}} ** {{fs-folder|xodash}} *** {{fs-file|update.xbe|size=2260992|hash=78ad0f3f0cb83010728e00457a778121}} *** {{fs-file|xonlinedash.xbe|size=2617344|hash=01dd6c8aa72b473ba1523c73c6527d86}} ** {{fs-file|xboxdash.xbe|size=1961984|hash=1fa397b44ec78965ef955539fd8f4fbd}} 87a2f7377fe3a26e25bbb9b1d11f4a5bdd57ee3c 5619 5613 2017-05-31T09:49:58Z JayFoxRox 2 wikitext text/x-wiki The files on the Xbox look something like this (The checksums are MD5): * {{fs-drive|C:}} ** {{fs-folder|Audio}} *** {{fs-folder|AmbientAudio}} **** {{fs-file|AMB_05_ENGINEROOM_LR.wav|size=5562348|hash=565b84c327ef10b4854db6d3c943078e}} **** {{fs-file|AMB_06_COMMUNICATION_LR.wav|size=5412228|hash=767c124d7260a8c0072ed21fb2d46915}} **** {{fs-file|AMB_12_HYDROTHUNDER_LR.wav|size=6447588|hash=8fe6214758f24524ea7af2f3a30258a0}} **** {{fs-file|AMB_EC_Pinger1.wav|size=1259412|hash=076eb4b27b9ff381a8e188898975fb4d}} **** {{fs-file|AMB_EC_Steam1.wav|size=656484|hash=43ac56a62ed8459239b97a39e665af2f}} **** {{fs-file|AMB_EC_Steam2.wav|size=943836|hash=337bc7e89097d2b3ddcdb0eab0a92e13}} **** {{fs-file|AMB_EC_Steam3.wav|size=516156|hash=88537eaeed16c6a4475d3b3738623aab}} **** {{fs-file|AMB_EC_Steam4.wav|size=746556|hash=b0916cc4d6668a9771afd01496f4e9d7}} **** {{fs-file|AMB_EC_Steam5.wav|size=737340|hash=552e8c32ea1a04f69e98859e56077f1b}} **** {{fs-file|AMB_EC_Steam6.wav|size=534588|hash=f4cbc9d9a4f32adf2844ab97df798c76}} **** {{fs-file|AMB_EC_Steam7.wav|size=1021884|hash=f041eb53748e5d47410a188c6e280b15}} **** {{fs-file|AMB_EC_Voices1.wav|size=307932|hash=741c2d6d63ba0b3b464ea5b6b318cdbc}} **** {{fs-file|AMB_EC_Voices10.wav|size=525372|hash=28a17555fa442249cbd7861e80bcf5ac}} **** {{fs-file|AMB_EC_Voices11.wav|size=313404|hash=1b97f1b14fcab2201da745ed4f44e491}} **** {{fs-file|AMB_EC_Voices12.wav|size=672828|hash=80c65f6b627b259796927adc6dde86f6}} **** {{fs-file|AMB_EC_Voices13.wav|size=362580|hash=026576c28474118b04cc4a09fb6b5480}} **** {{fs-file|AMB_EC_Voices2.wav|size=307644|hash=b3de08af73e56f93c10147e0b7f3bc57}} **** {{fs-file|AMB_EC_Voices3.wav|size=695292|hash=ce594325ac41b2d95bea4a1a2a0449b4}} **** {{fs-file|AMB_EC_Voices4.wav|size=521916|hash=b368c2a8995b000c340d3e1408e0fdc5}} **** {{fs-file|AMB_EC_Voices5.wav|size=292092|hash=bf018e7ad6d6d4531753ef7ea0a1d16e}} **** {{fs-file|AMB_EC_Voices6.wav|size=709692|hash=be2f2d7447cb69309595e115f72e5500}} **** {{fs-file|AMB_EC_Voices7.wav|size=502332|hash=1fb09252f8ac69036351661f653da142}} **** {{fs-file|AMB_EC_Voices8.wav|size=313404|hash=aa2849ce3b7df30ffc894322f83a7497}} **** {{fs-file|AMB_EC_Voices9.wav|size=691260|hash=4ff4887384d0d5697df491ea9ce6b51b}} **** {{fs-file|comm static 1.wav|size=39012|hash=4820878be0a0c67e2e2bfd1a82e9af60}} **** {{fs-file|comm static 2.wav|size=71052|hash=6db8cae9fd2a8a7cf8fa9d3abe53ea1d}} **** {{fs-file|comm static 3.wav|size=104172|hash=2abe2439e393432e6ae4d596c283690c}} **** {{fs-file|comm static 4.wav|size=93948|hash=5e00320ced41a87a79aedc7ceaf5d57c}} **** {{fs-file|comm voice 1.wav|size=189636|hash=0b208c6775907edc63a65054fc807af5}} **** {{fs-file|comm voice 2.wav|size=196116|hash=7af4f6576c1714391f1aa4a8b0100ca5}} **** {{fs-file|comm voice 3.wav|size=241044|hash=08781a9e45eac3df26142d8478eb684d}} **** {{fs-file|comm voice 4.wav|size=69036|hash=948c41545db45969e71c0a5e7614a22f}} **** {{fs-file|comm voice 5.wav|size=116484|hash=d67a914b933f85f513f4d8e44d09980a}} **** {{fs-file|comm voice 6.wav|size=83796|hash=1f595aeaef1bdfb501a91de7638fe28f}} **** {{fs-file|comm voice 7.wav|size=81852|hash=b2b9fa426e3237ddeb79f0536869eca2}} **** {{fs-file|comm voice 8.wav|size=178620|hash=df652e1d62a8b33af6a47acffb4fcadb}} **** {{fs-file|comm voice 9.wav|size=110076|hash=39b0f0a3d6d5ec10055b68e602b8675c}} **** {{fs-file|Control Room Loop ver2.wav|size=543732|hash=093c1519cb6bd6d6d3930d3f774b3485}} **** {{fs-file|Control Room Loop.wav|size=541860|hash=0f23001b0319a568ac862ec7a1f5ee6f}} *** {{fs-folder|MainAudio}} **** {{fs-file|Global A Button Select.wav|size=18708|hash=895b82ec5a33bc8a786e2a690a734de3}} **** {{fs-file|Global B Button Back.wav|size=18708|hash=45e2b8b11534d2da41900fa5ef5418f4}} **** {{fs-file|Global Completion Beep.wav|size=12012|hash=2aa770f713594310639ec15ebf2695af}} **** {{fs-file|Global Delete_Destroy.wav|size=41820|hash=cdefc6e08f772d2c4ab77a564dc50183}} **** {{fs-file|Global Error Message B.wav|size=14964|hash=dade2d5ecb0b754ec69d4bb4e887d42e}} **** {{fs-file|Global Keyboard Stroke 1.wav|size=7044|hash=e7662531b5b05431966732cb76a6fffa}} **** {{fs-file|Global Keyboard Stroke 2.wav|size=11220|hash=b516137d9257d3b975f6d9ad82b75750}} **** {{fs-file|Global Main MenuBack3ver2.wav|size=32892|hash=b825773a71e8d3655bd8998cbbb424f4}} **** {{fs-file|Global Main MenuFwd3ver2.wav|size=24108|hash=e5035e8fb6d1d16c16c1fda2a3339153}} **** {{fs-file|Global Progress Bar.wav|size=235356|hash=d9820e39524a3b37e982fa77004655be}} **** {{fs-file|Global Scroll Beep.wav|size=1572|hash=67bc6aba697a1eb2714d8eda84da0405}} *** {{fs-folder|MemoryAudio}} **** {{fs-file|Memory Controller Select.wav|size=15828|hash=54e676b7ff4dcdd295fabf1dfb9290e5}} **** {{fs-file|Memory Games Select.wav|size=45348|hash=9e95263f0767a62119aa38e668248957}} **** {{fs-file|Memory Memory Slot Select.wav|size=12084|hash=bb86674f7a85e0bf6d9dfb569cfcead4}} *** {{fs-folder|MusicAudio}} **** {{fs-file|Games Info Screen In MSurr.wav|size=63348|hash=17a245d749339571cdc0fb9524a0ba20}} **** {{fs-file|Games Info Screen In.wav|size=63348|hash=b02a19fcbbbe8f394c79c560e67fbeb6}} **** {{fs-file|Games Info Screen Out MSurr.wav|size=71052|hash=c8a81e0046acbc0ce5712f7621422b5b}} **** {{fs-file|Games Info Screen Out.wav|size=5964|hash=2080b7f318e72e06c8e3c8a03656d03c}} **** {{fs-file|Music CD Select.wav|size=30300|hash=1104afb43a6aec2b678cda13befa811e}} *** {{fs-folder|SettingsAudio}} **** {{fs-file|Settings Lang SubMenu Sel.wav|size=161340|hash=73a89aab381849b9a51bf097293e9449}} **** {{fs-file|Settings Parent SubMenu Sel.wav|size=21372|hash=74a51e1d0634f2a25585389c77b3dd63}} *** {{fs-folder|TransitionAudio}} **** {{fs-file|Games Main Menu In_LR.wav|size=72132|hash=4ebfcf1125ace7e7417e513cf55faf84}} **** {{fs-file|Games Main Menu Out_LR.wav|size=75444|hash=9f1e83b02961528a8920693ba2654a24}} **** {{fs-file|Games Sub Menu In_LR.wav|size=74220|hash=8be59cc1ea9dd4c1349e446554a9e50c}} **** {{fs-file|Games Sub Menu Out_LR.wav|size=83148|hash=0d2b3642ed00c68ff26fea337bb21d17}} **** {{fs-file|Music Main Menu In_LR.wav|size=53484|hash=cd9b4b30a8829689be34e10648b89257}} **** {{fs-file|Music Main Menu Out_LR.wav|size=51036|hash=5dcceccf08ae7d4c537a1ad03d1b4d64}} **** {{fs-file|Music Select Track In_LR.wav|size=68388|hash=80af0c1585d8f6fbfd02623182bc8155}} **** {{fs-file|Music Select Track Out_LR.wav|size=68100|hash=e3aa18fd82b3d34df22e34b4fe3d49ed}} **** {{fs-file|Settings Main Menu In_LR.wav|size=188844|hash=7553686ac2ab1f1f9c9e16929ffce5ab}} **** {{fs-file|Settings Main Menu Out_LR.wav|size=159252|hash=4bc9fbffabb006fcc6d321ee4ba127ee}} **** {{fs-file|Settings Sub Menu In_LR.wav|size=97908|hash=2b6b47c092d70ae2ef926ff521b9d3d1}} **** {{fs-file|Settings Sub Menu Out_LR.wav|size=60468|hash=1439f81e8dfab007d9dda12e3b8d34df}} ** {{fs-folder|fonts}} *** {{fs-file|XBox Book.xtf|size=14440996|hash=8f5b7cee650f389f1c5c7bb5f70386bb}} *** {{fs-file|Xbox.xtf|size=19124720|hash=de4a26c39de8001b95c749f8d3d22128}} ** {{fs-folder|xboxdashdata.<see versions>}} *** {{fs-file|AccountSelection.xip|size=1322518|hash=497f17cc0941611e438093e5af73feb9}} *** {{fs-file|default.xip|size=1619954|hash=c5f0ac7c917ff431739be68528562990}} *** {{fs-file|dvd.xip|size=167045|hash=64feb8f1e5844fc3d4c4a4269677b8a3}} *** {{fs-file|jkeyboard.xip|size=732966|hash=e2d462cd3df9f57a0d572f3229a87b51}} *** {{fs-file|Keyboard.xip|size=658238|hash=c1b2b05a0a47a521d1f7d05ecb566432}} *** {{fs-file|LiveToday.xip|size=1226668|hash=5f33f99506bb687bad95a735c6a9ea80}} *** {{fs-file|mainmenu5.xip|size=2300516|hash=f2e318a54e2a7326c5b42c6def7d64d4}} *** {{fs-file|memory_files2.xip|size=2708134|hash=295fcaec6ad66b14cf51c94d0ac1b999}} *** {{fs-file|Memory2.xip|size=2218462|hash=4c7fcc324216117b8d54a273eb581c29}} *** {{fs-file|Message.xip|size=801609|hash=abd85ff52590e61e0b7081f650175bae}} *** {{fs-file|music_copy3.xip|size=1618605|hash=2f7257186e5093b09a1fe5d96716b0c6}} *** {{fs-file|Music_PlayEdit2.xip|size=2593642|hash=628a0c8ce9ee64a6fd3bc339fbb28913}} *** {{fs-file|music2.xip|size=2007578|hash=4979f2dbcf721c1702cde15ed7961800}} *** {{fs-file|PasscodeVerify.xip|size=2813123|hash=f25f5447def27c67d5842bfc0474b28f}} *** {{fs-file|settings_adoc.xip|size=4208200|hash=a73817afb22f622fc4c25bbd291db66a}} *** {{fs-file|Settings_Clock.xip|size=1684098|hash=c49e21dacb92d81ed18380e4354904e1}} *** {{fs-file|settings_language.xip|size=1429750|hash=cf45a77a9bf6dc972344c6cee48adacc}} *** {{fs-file|settings_list.xip|size=2928635|hash=123a550fafb5c08b7a0c4437f7989820}} *** {{fs-file|settings_panel.xip|size=2813123|hash=f25f5447def27c67d5842bfc0474b28f}} *** {{fs-file|settings_parental.xip|size=1008362|hash=1ae35811db2ecf5af08695ae8b681e6d}} *** {{fs-file|settings_timezone.xip|size=1371154|hash=b148d86596529ae3abaec6bb3185d13b}} *** {{fs-file|settings_video.xip|size=1978178|hash=a91d26866b85bf80005a7fc1ba59b442}} *** {{fs-file|settings3.xip|size=2966303|hash=8d6076c0ee3a22646c0764c34296c8b8}} *** {{fs-file|WaitCursor.xip|size=33641|hash=6ccd2d7f083ef995f3f67ce747e289a9}} ** {{fs-folder|xodash}} *** {{fs-folder|audio}} **** {{fs-folder|LiveNowAudio}} ***** {{fs-file|Friend Offline.wav|size=54092|hash=41b7a8fe061a1ff2552c9bf1188736f5}} ***** {{fs-file|Friend Online.wav|size=54060|hash=81ccfe1005276370c5cbb3e708807b62}} ***** {{fs-file|Friend Request.wav|size=52436|hash=d7c8b57e754b761d1b3101b3e709b3dd}} ***** {{fs-file|Game Invite.wav|size=29396|hash=cd580938613a5407eb8bcaffe2688667}} **** {{fs-folder|VoiceChatAudio}} ***** {{fs-file|Voice Chat Join.wav|size=26156|hash=7fb1fe01240795fcbf564dabfad01b21}} ***** {{fs-file|Voice Chat Leave.wav|size=37028|hash=8021bcf17888d2803c0e419cffa7dbb5}} *** {{fs-folder|media}} **** {{fs-folder|Content}} ***** {{fs-folder|Japanese}} ****** {{fs-file|coc_jpn.txt|size=2347|hash=f2feb7aa376a74240926d158dd74d65d}} ****** {{fs-file|ximejpm.dic|size=250528|hash=b1a7b55b9694ed6a47a2b901415e6fc5}} ****** {{fs-file|ximejps.dic|size=188288|hash=83f581a5d8023013de26eb65b1467486}} ***** {{fs-folder|SavedGame}} ****** {{fs-file|SaveImage.xbx|size=18432|hash=f378f3f8f19f3f679ee6a3a7497e104d}} ****** {{fs-file|TitleImage.xbx|size=67584|hash=6327fec35dd1abe0c3f33ac5cde11c10}} ****** {{fs-file|TitleMeta.xbx|size=800|hash=630de678413ed09e15ae45aa231c1af6}} ***** {{fs-folder|TChinese}} ****** {{fs-file|twroc.dic|size=55226|hash=48d0d50142126651f6090ec99e00b8c5}} **** {{fs-folder|Xbg}} ***** {{fs-file|3_doublebutton.xbg|size=207993|hash=42b0b013d2c2e5817a3e4c8ab04bffb4}} ***** {{fs-file|act_accountpin.xbg|size=653118|hash=fe632805e6d6729e7e442fc96771a7d9}} ***** {{fs-file|act_activation.xbg|size=59625|hash=a7db0e486f391ad9101ee7d9a6abe7ca}} ***** {{fs-file|act_admin_policy.xbg|size=71938|hash=135c297799488b118e93deb8ba6ea44e}} ***** {{fs-file|act_alt_names.xbg|size=84324|hash=158225c13adae3057c062fb8f6730be7}} ***** {{fs-file|act_billing.xbg|size=226372|hash=fb04f93f5afed327400f6dae41a3f4e8}} ***** {{fs-file|act_congrats.xbg|size=145440|hash=4f773200049c715436c27cad462d3725}} ***** {{fs-file|act_copy_delete.xbg|size=888221|hash=66321645c2e21dc97221946871ad8894}} ***** {{fs-file|act_country.xbg|size=184789|hash=11ef5a0db7ff1c4e57c372f5ca8a474c}} ***** {{fs-file|act_forced_name.xbg|size=70512|hash=b47c0cd89ef89019b8d4fb7e9f29078a}} ***** {{fs-file|act_id.xbg|size=80213|hash=d7b2f7b2c8444c353a00b61963a37ff0}} ***** {{fs-file|act_message_server.xbg|size=241052|hash=6876fb92e1c92afc662562fb99a5abb4}} ***** {{fs-file|act_new_opt_in.xbg|size=283121|hash=2997402d4dd252d0746e5790b35abeab}} ***** {{fs-file|act_online.xbg|size=77774|hash=dbd09ce5f9fd916724997bbe64aa7e6c}} ***** {{fs-file|act_overwrite.xbg|size=578090|hash=c71ca452229dcd95bfee26b7d9424f3a}} ***** {{fs-file|act_passcode.xbg|size=722464|hash=81526772f069a1c81b76254399fb8666}} ***** {{fs-file|act_restrictions.xbg|size=198867|hash=ecbfd5abe9bde3f28e7e21722c85e47c}} ***** {{fs-file|act_state.xbg|size=797805|hash=1f2a1cacb023ac3c754d9548a38e8039}} ***** {{fs-file|act_sub_3button.xbg|size=158866|hash=112821cc587d1ad4cc99fa0d0a917273}} ***** {{fs-file|act_sure.xbg|size=65137|hash=5c1540d7ccec2c6607c8b0510f8f825a}} ***** {{fs-file|act_user_options.xbg|size=185180|hash=e496c0538f2b825186b00e30f5709931}} ***** {{fs-file|act_users2.xbg|size=88313|hash=12ce8b2ae9d7d450660b7de5aebcaaf8}} ***** {{fs-file|addfriend.xbg|size=1890765|hash=f6bf945bea8ef86d593109b2d1866b89}} ***** {{fs-file|anim_connecting.xbg|size=1034604|hash=d414eabc933dc46e64b3703c54b8e574}} ***** {{fs-file|anim_wait_5.xbg|size=25575|hash=007a7e8f3f4b262414100cc48d8cbdb0}} ***** {{fs-file|backbutton.xbg|size=81349|hash=6b894fe7c6392836808dc6230bd7b0d0}} ***** {{fs-file|bud_actions.xbg|size=146828|hash=dbc004a2b3081507ae2c2efed71fb4a3}} ***** {{fs-file|cellwall.xbg|size=190846|hash=219a43d501df170e4affcae9e4b35e92}} ***** {{fs-file|contextual.xbg|size=1937307|hash=007ac7c3ddedad86a662bc9b115d1f00}} ***** {{fs-file|feedback.xbg|size=1929240|hash=d26e11eb96b135eac630dfcee1b7e5fb}} ***** {{fs-file|friends.xbg|size=2224276|hash=afae13fb39cc559c24c85262509e888e}} ***** {{fs-file|gen_dob_tumblers.xbg|size=1276515|hash=83c24a1a6ed4f405dc0caad816a0a204}} ***** {{fs-file|gen_exp_tumblers.xbg|size=1262446|hash=9e4d5fd47c810132f42bf9bc173a1908}} ***** {{fs-file|gen_large_panel.xbg|size=210906|hash=814dfbf474a031ab82f6271a4c0648db}} ***** {{fs-file|gen_mess_panel.xbg|size=347851|hash=397c04b140e03b293b1a104e540d73fc}} ***** {{fs-file|j_candidates.xbg|size=254619|hash=060728bbf7498173420a45be61b7c339}} ***** {{fs-file|j_keyboard.xbg|size=737322|hash=88c480d6b5ab9feb95b3e906760e2373}} ***** {{fs-file|k_keyboard.xbg|size=426877|hash=6388aede82d338db42b55752aa5b9d06}} ***** {{fs-file|keyboard.xbg|size=375657|hash=873fbf9ec6585103346bf0a381f95d93}} ***** {{fs-file|keypad.xbg|size=202889|hash=decf2d76e67af781ad34c220be6308f8}} ***** {{fs-file|nts_dns.xbg|size=192159|hash=bd54bc1e4246605937a828b3b6278a95}} ***** {{fs-file|nts_ip.xbg|size=202623|hash=9e100d8c7029c20cfc9bd7ee0fa6bc65}} ***** {{fs-file|nts_settings.xbg|size=216718|hash=512de7f31ef378651a5e783965ea7f24}} ***** {{fs-file|nts_status.xbg|size=181806|hash=0a0d4a2ed3c61c86258d6d3ae3fe3837}} ***** {{fs-file|nts_wireless.xbg|size=231935|hash=82a12b613465f617c90c7fdce118adef}} ***** {{fs-file|orb_master.xbg|size=348747|hash=c259f4d1276582d32044826f6d88cedc}} ***** {{fs-file|selectbutton.xbg|size=73523|hash=bf0fcf1cde1d1aa92b7335ab5d8c10a3}} ***** {{fs-file|t_keyboard.xbg|size=405161|hash=912e6bd830337868cb9b51d30c8c0121}} ***** {{fs-file|voicechat.xbg|size=2327218|hash=dd2e8dcea71fc8fa661daa7d6c9b0f6d}} ***** {{fs-file|voicemail.xbg|size=1948139|hash=662585947a38eff1b5e74e871ea4d5be}} **** {{fs-folder|Xbx}} ***** {{fs-file|button.xbx|size=10240|hash=fc14f24784a74a5d48004e48880086cb}} ***** {{fs-file|cellwall.xbx|size=67584|hash=ff23d97f5263ee657cdd7d528bb1c95e}} ***** {{fs-file|darken_opacity.xbx|size=18432|hash=7f24ebbab4f77fe612d0dd9491001e49}} ***** {{fs-file|Disabled.xbx|size=10240|hash=6d8da8de70e262767600d2b84eec43c2}} ***** {{fs-file|disabled_highlight.xbx|size=6144|hash=64f4dd2e2f5539ad6a11417abe0ef336}} ***** {{fs-file|footer.xbx|size=34816|hash=6a2124d31b374d9c3f426436aec35161}} ***** {{fs-file|GameHilite_01.xbx|size=6144|hash=c4fa23bce07f08dd360565d9b267b0b0}} ***** {{fs-file|highlight.xbx|size=10240|hash=1e99278554e5d4a0e42b808ebd833385}} ***** {{fs-file|keyboard_alpha.xbx|size=18432|hash=65553de7e37186f96942948cbe4639b9}} ***** {{fs-file|Live_header.xbx|size=34816|hash=fc46134b8dd7abf183e1d466d5afe6bf}} ***** {{fs-file|live_highlight_disabled.xbx|size=10240|hash=5a2da8c4c763cdcf6ab7c23deaa64205}} ***** {{fs-file|LiveChrome.xbx|size=67584|hash=f64b49852005cc389d205ea1de8d1048}} ***** {{fs-file|mess_panel_backing.xbx|size=18432|hash=24459f91d4de55a521d2c75da81ac7de}} ***** {{fs-file|Options.xbx|size=18432|hash=9e442a174906ef3e06c04c5cd43b6ddd}} ***** {{fs-file|panel1.xbx|size=18432|hash=7ef04f5b0d0ce60e9ac385d5734d35a3}} ***** {{fs-file|panel10.xbx|size=10240|hash=2852c18e0b898a0cd0f74d957d1c4e1f}} ***** {{fs-file|panel11.xbx|size=18432|hash=188290082b02fc03a2656ffdc131f309}} ***** {{fs-file|panel12.xbx|size=18432|hash=bf234eb3313b4af0f04a7eea816b0819}} ***** {{fs-file|panel13.xbx|size=18432|hash=c465aaacf64ff98d7e5c7501f15df4cd}} ***** {{fs-file|panel14.xbx|size=18432|hash=5b52636f2ae781df267c27ba4f1fa1f4}} ***** {{fs-file|panel15.xbx|size=10240|hash=43ce1530ac07161c65b1ff5d02ddaf07}} ***** {{fs-file|panel16.xbx|size=18432|hash=1c35588436ba6d4a437fb1d22e8ed029}} ***** {{fs-file|panel17.xbx|size=10240|hash=7b9d574182f87b7c8bb9b1f16d07a234}} ***** {{fs-file|panel18.xbx|size=18432|hash=192a162567836159e44355a13b108ec6}} ***** {{fs-file|panel19.xbx|size=18432|hash=3d205c154cd434ae46009670b8a5c830}} ***** {{fs-file|panel2.xbx|size=18432|hash=4958bbd39d6adc867a323bd14e7fedfb}} ***** {{fs-file|panel20.xbx|size=18432|hash=70fcee44a106f94f3d505b8fe36e89bd}} ***** {{fs-file|panel3.xbx|size=18432|hash=7ddc37a40c11f91c4f5709275753682c}} ***** {{fs-file|panel4.xbx|size=18432|hash=54ca9e18cadcabd704eff52270cf5aef}} ***** {{fs-file|panel5.xbx|size=18432|hash=9a92cefceb843e4b634ef4862b2838f0}} ***** {{fs-file|panel6.xbx|size=18432|hash=5220d145a2d73f10018f822b746a33f9}} ***** {{fs-file|panel7.xbx|size=18432|hash=0fb78b53c5b037f006342a10f13447f5}} ***** {{fs-file|panel8.xbx|size=18432|hash=212a8b96d91eaab3788d33ea3f0f99d0}} ***** {{fs-file|panel9.xbx|size=18432|hash=25b985d4c995f4898ea1c3344cf0d2f0}} ***** {{fs-file|Plain_header.xbx|size=34816|hash=494a987d8bf0000ff972ec0926aa08dd}} ***** {{fs-file|pulse_3D_64_matte_trans.xbx|size=4096|hash=7d9b93b859d90f855dbb0a17170821bc}} ***** {{fs-file|Pulse1.xbx|size=34816|hash=364898b79abf0110779b849a4df38154}} ***** {{fs-file|ridges.xbx|size=34816|hash=caabfdb8e5aa2390d001d60247ff3b72}} ***** {{fs-file|wireframe.xbx|size=10240|hash=48468dbefff5fb21d52f8b66418a89f2}} ***** {{fs-file|xbox2.xbx|size=264192|hash=e86870b16246b4399a86c592a1f87b3b}} ***** {{fs-file|xbox4.xbx|size=67584|hash=67f33ec44e706a322e2550a342340a3c}} ***** {{fs-file|xboxlogo.xbx|size=264192|hash=77cf58d065229b28edda8b08709ac31d}} ***** {{fs-file|xboxlogow.xbx|size=264192|hash=c4816fb72fe27cd18bb04a109b9facd1}} *** {{fs-file|update.xbe|size=2260992}} <see versions> *** {{fs-file|xonlinedash.xbe|size=2617344}} <see versions> ** {{fs-file|XBox Book.xtf|size=17068868|hash=54751950aa215228a4915955f7d2ce0c}} ** {{fs-file|Xbox.xtf|size=15613736|hash=0466dd6c19ec9c1785e8aadfc8c5269e}} ** {{fs-file|xboxdash.xbe|size=1961984}} <see versions> * {{fs-drive|E:}} ** {{fs-folder|TDATA}} ** {{fs-folder|UDATA}} I have seen a few differences. I thought all my Xboxs had the same dashboard version, but I have 2 slightly different versions of files: == 185ead00 == Here are the differences for this dashboard * {{fs-drive|C:}} ** {{fs-folder|xboxdashdata.185ead00}} ** {{fs-folder|xodash}} *** {{fs-file|update.xbe|size=2260992|hash=bc99ef8730158ba1bf3f1c9c84520661}} *** {{fs-file|xonlinedash.xbe|size=2617344|hash=8149654a030d813bcc02a24f39fd3ce9}} ** {{fs-file|xboxdash.xbe|size=1961984|hash=08d3a6f99184679aa13008d6397bacce}} == 185a6100 == Here are the differences for this dashboard * {{fs-drive|C:}} ** {{fs-folder|xboxdashdata.185a6100}} ** {{fs-folder|xodash}} *** {{fs-file|update.xbe|size=2260992|hash=78ad0f3f0cb83010728e00457a778121}} *** {{fs-file|xonlinedash.xbe|size=2617344|hash=01dd6c8aa72b473ba1523c73c6527d86}} ** {{fs-file|xboxdash.xbe|size=1961984|hash=1fa397b44ec78965ef955539fd8f4fbd}} 36916bec0bc67242684abb4f4f8273e8cadbc506 0 3678 5627 5569 2017-05-31T10:36:17Z JayFoxRox 2 /* INIT */ wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot process initialization for the kernel, [[http://xboxdevwiki.net/Boot_Process#Initialization|listed here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 |stdcall |Variable? |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 |stdcall |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 |stdcall |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |stdcall |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |stdcall |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |stdcall |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |stdcall |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 |stdcall |Variable? |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 |stdcall |Variable? |- |[[Kernel/IoFileObjectType]] |71 |stdcall |Variable? |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 |stdcall |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |stdcall |Variable? |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 |stdcall |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 |stdcall |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 |stdcall |Variable? |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 |stdcall |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |stdcall |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 |stdcall |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 |stdcall |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 |stdcall |Variable? |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 |stdcall |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |stdcall |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 |stdcall |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 |stdcall |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |stdcall |Variable? |- |[[Kernel/XboxHDKey]] |323 |stdcall |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |stdcall |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |stdcall |Variable? |- |[[Kernel/XeImageFileName]] |326 |stdcall |Variable? |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 |stdcall | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |stdcall |Variable? |- |[[Kernel/XePublicKeyData]] |355 |stdcall |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |stdcall |Variable? |- |[[Kernel/IdexChannelObject]] |357 |stdcall |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 454909f23d60a40154256db43fbc44e0b2498554 5628 5627 2017-05-31T10:36:39Z JayFoxRox 2 /* INIT */ wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot process initialization for the kernel, [[Boot_Process#Initialization|listed here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 |stdcall |Variable? |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 |stdcall |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 |stdcall |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |stdcall |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |stdcall |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |stdcall |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |stdcall |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 |stdcall |Variable? |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 |stdcall |Variable? |- |[[Kernel/IoFileObjectType]] |71 |stdcall |Variable? |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 |stdcall |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |stdcall |Variable? |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 |stdcall |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 |stdcall |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 |stdcall |Variable? |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 |stdcall |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |stdcall |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 |stdcall |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 |stdcall |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 |stdcall |Variable? |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 |stdcall |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |stdcall |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 |stdcall |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 |stdcall |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |stdcall |Variable? |- |[[Kernel/XboxHDKey]] |323 |stdcall |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |stdcall |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |stdcall |Variable? |- |[[Kernel/XeImageFileName]] |326 |stdcall |Variable? |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 |stdcall | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |stdcall |Variable? |- |[[Kernel/XePublicKeyData]] |355 |stdcall |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |stdcall |Variable? |- |[[Kernel/IdexChannelObject]] |357 |stdcall |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 77bb00eed95c728cdaaaff08d0d45dfb0cc1694a 5629 5628 2017-05-31T10:37:11Z JayFoxRox 2 /* INIT */ wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described [[Boot_Process#Initialization|here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 |stdcall |Variable? |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 |stdcall |Variable? |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 |stdcall |Variable? |- |[[Kernel/ExTimerObjectType]] |31 |stdcall |Variable? |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 |stdcall |Variable? |- |[[Kernel/HalDiskModelNumber]] |41 |stdcall |Variable? |- |[[Kernel/HalDiskSerialNumber]] |42 |stdcall |Variable? |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 |stdcall |Variable? |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 |stdcall |Variable? |- |[[Kernel/IoFileObjectType]] |71 |stdcall |Variable? |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 |stdcall |Variable? |- |[[Kernel/KdDebuggerNotPresent]] |89 |stdcall |Variable? |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 |stdcall |Variable? |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 |stdcall |Variable? |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 |stdcall |Variable? |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 |stdcall |Variable? |- |[[Kernel/KeTimeIncrement]] |157 |stdcall |Variable? |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 |stdcall |Variable? |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 |stdcall |Variable? |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 |stdcall |Variable? |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 |stdcall |Variable? |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 |stdcall |Variable? |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 |stdcall |Variable? |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 |stdcall |Variable? |- |[[Kernel/XboxHardwareInfo]] |322 |stdcall |Variable? |- |[[Kernel/XboxHDKey]] |323 |stdcall |Variable? |- |[[Kernel/XboxKrnlVersion]] |324 |stdcall |Variable? |- |[[Kernel/XboxSignatureKey]] |325 |stdcall |Variable? |- |[[Kernel/XeImageFileName]] |326 |stdcall |Variable? |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 |stdcall | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 |stdcall |Variable? |- |[[Kernel/XePublicKeyData]] |355 |stdcall |Variable? |- |[[Kernel/HalBootSMCVideoMode]] |356 |stdcall |Variable? |- |[[Kernel/IdexChannelObject]] |357 |stdcall |Variable? |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} bd4fd2ee5887e51f848a3858e02f2e443438de54 0 3 5630 5468 2017-05-31T11:39:20Z JayFoxRox 2 /* Random resources about Xbox hacking */ wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] 292f51dd55e17dd66fae72940dc141c76398c317 0 3772 5631 5570 2017-05-31T23:22:36Z JayFoxRox 2 wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) == See Also == [[Hard Drive Files]] 7cbbb127e8f332911e957c627bd35e424d7a8bc2 0 3674 5632 5220 2017-06-01T15:29:19Z JayFoxRox 2 wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[BIOS]] and [[MCPX ROM]] are also mapped to memory at the top 16MB and the top 512bytes respectively. On Debug Xboxs and Chihiro, only the BIOS is mapped. {| class="wikitable" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |[[Flash]] |0xFF000000 - 0xFFFFFFFF |0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MAIN_MEMORY 128 * 1024 * 1024 int mcpx_active = 0; #else #define MAIN_MEMORY 64 * 1024 * 1024 int mcpx_active = 1; #endif #define BIOS_SIZE 256 * 1024 #define BIOS_MEMORY_SIZE 16 * 1024 * 1024 #define BIOS_MEMORY (0xFFFFFFFF - BIOS_MEMORY_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MEMORY (0xFFFFFFFF - MCPX_SIZE + 1) uint8_t memory[MAIN_MEMORY] = {0}; uint8_t bios[BIOS_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MAIN_MEMORY) { return memory[location]; } if (mcpx_active && location >= MCPX_MEMORY) { return mcpx[location - MCPX_MEMORY]; } if (location >= BIOS_MEMORY) { return bios[(location - BIOS_MEMORY) % BIOS_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 3574f6ffc76cfa183aa50b790c49bc765a8a95fb 5635 5632 2017-06-01T15:38:21Z JayFoxRox 2 Hopefully improved wording without adding mistakes wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. On Debug Xboxs and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |[[Flash]] |0xFF000000 - 0xFFFFFFFF |0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> d5137be69c63872f4d24e9e60ed5a2860cecaaff 1 3698 5633 5205 2017-06-01T15:31:23Z JayFoxRox 2 /* Differentiation: Flash and BIOS */ new section wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:06, 14 May 2017 (PDT) They are now changed --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:23, 14 May 2017 (PDT) == Turn lists into a table? == This article has various lists / sections which all mention the same list of bioses. I believe we should instead transform it into a table / tables and possibly leave fields blank if we don't know something. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 14 May 2017 (PDT) I've added a table. It needs improving but it is a start. --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:40, 14 May 2017 (PDT) == Differentiation: Flash and BIOS == I feel we often speak about BIOS and Flash and mean the opposite thing. We should move such information to the appropriate articles and refer to each other if necessary. a18ab64352284e9101f5e570a67e3c3051ed046c 5634 5633 2017-06-01T15:31:38Z JayFoxRox 2 /* Differentiation: Flash and BIOS */ wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:06, 14 May 2017 (PDT) They are now changed --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:23, 14 May 2017 (PDT) == Turn lists into a table? == This article has various lists / sections which all mention the same list of bioses. I believe we should instead transform it into a table / tables and possibly leave fields blank if we don't know something. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 14 May 2017 (PDT) I've added a table. It needs improving but it is a start. --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:40, 14 May 2017 (PDT) == Differentiation: Flash and BIOS == I feel we often speak about BIOS and Flash and mean the opposite thing. We should move such information to the appropriate articles and refer to each other if necessary. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:31, 1 June 2017 (PDT) 3ce4b40aa3c4a3ceee744a75355e61f2914a1d9b 0 3762 5636 5508 2017-06-01T15:43:02Z JayFoxRox 2 wikitext text/x-wiki The Flash is a 256 kiB or 1 MiB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the [[MCPX]] via the <abbr title="Low Pin Count">LPC</abbr> bus. For the content of the Microsoft Flash image see [[BIOS]]. 1d0b22f894cd0437e363e1181136f803d5dddb19 0 3762 5637 5636 2017-06-01T15:43:28Z JayFoxRox 2 wikitext text/x-wiki The Flash is a 256 kiB or 1 MiB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the [[MCPX]] via the <abbr title="Low Pin Count">LPC</abbr> bus. For the content of the Microsoft flash images see [[BIOS]]. 5bc7d0b7671abfb0efbfb672f801a04142c4fb40 1 3698 5638 5634 2017-06-01T15:44:50Z JayFoxRox 2 /* Differentiation: Flash and BIOS */ wikitext text/x-wiki == Typo in the know Bios versions == @Eighthpence did you mean 3944 instead of 3394 --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:06, 14 May 2017 (PDT) They are now changed --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:23, 14 May 2017 (PDT) == Turn lists into a table? == This article has various lists / sections which all mention the same list of bioses. I believe we should instead transform it into a table / tables and possibly leave fields blank if we don't know something. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 14 May 2017 (PDT) I've added a table. It needs improving but it is a start. --[[User:Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) 12:40, 14 May 2017 (PDT) == Differentiation: Flash and BIOS == I feel we often speak about BIOS and Flash and mean the opposite thing. We should move such information to the appropriate articles and refer to each other if necessary. I think we should even split this into "2BL" and "Flash", not mention the name "BIOS" at all. This removes ambiguity, we can then explain the contents of the flash image on the flash page and refer to the 2BL and Kernel pages for more info. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:31, 1 June 2017 (PDT) 416de8547267d1cf99993a11eec57a5acf3c77b6 0 3672 5639 5507 2017-06-01T15:48:44Z JayFoxRox 2 /* Components */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! Unknown ! X-Codes ! Copyright String ! Kernel ! Kernel Data Segment ! 2BL ! Decoy Boot Loader |- ! 3944 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4034 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4134 | 0x00000 | 0x00080 | 0x00cfa | | | 0x39E00 | 0x3FE00 |- ! 4817 | 0x00000 | 0x00080 | 0x00db9 | | | | 0x3FE00 |- ! 5101 | 0x00000 | 0x00080 | 0x00e49 | | | | 0x3FE00 |- ! 5530 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5713 | 0x00000 | 0x00080 | 0x00e59 | | | | 0x3FE00 |- ! 5838 | 0x00000 | 0x00080 | 0x00dcc | | | | 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] c02c354a9eff4fe2e327173a9d970e7c755c9c54 5640 5639 2017-06-01T15:51:25Z JayFoxRox 2 Undo revision 5219 by [[Special:Contributions/Eighthpence|Eighthpence]] ([[User talk:Eighthpence|talk]]) (I suggested this change, but it was stupid. Sorry)) wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 ! 4034 ! 4134 ! 4817 ! 5101 ! 5530 ! 5713 ! 5838 |- ! Unknown | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 |- ! X-Codes | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 |- ! Copyright String | 0x00cfa | 0x00cfa | 0x00cfa | 0x00db9 | 0x00e49 | 0x00e59 | 0x00e59 | 0x00dcc |- ! Kernel | | | | | | | | |- ! Kernel Data Segment | | | | | | | | |- ! 2BL | 0x039E00 | 0x039E00 | 0x039E00 | | | | | |- ! Decoy Boot Loader | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00 The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00 This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 0c353103d7d6c6144a7656b9d8bbd598fc89cb92 5641 5640 2017-06-01T16:03:02Z JayFoxRox 2 /* Components */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! !! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String || 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel || || || || || || || || |- ! Kernel Data Segment || || || || || || || || |- ! 2BL || 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! Decoy Boot Loader || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 6b20f8bd7dc899a3e9672529c14b2b9cfc542b8d 5642 5641 2017-06-01T16:03:58Z JayFoxRox 2 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | || || || || || || || |- ! Kernel Data Segment | || || || || || || || |- ! 2BL | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 265760777a9c2df1c5723bfa367488bb37b57d31 0 3683 5643 5576 2017-06-01T16:30:51Z JayFoxRox 2 /* Xcodes */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; register uint32_t pc; // stored in ESI register register uint8_t opcode; // stored in AL register register uint32_t operand_1; // stored in EBC register register uint32_t operand_2; // stored in ECX register register uint32_t result; // stored in EDI register register uint32_t scratch; // stored in EBP register // values are implied as x86 is just starting up operand_1 = 0; operand_2 = 0; scratch = 0; // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } switch (opcode) { case 0x02: result = get_memory_dword(operand_1 & 0x0fffffff); break; case 0x03: set_memory_dword(operand_1) = operand_2; break; case 0x06: result = (result & operand_1) | operand_2; break; case 0x04: if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); break; case 0x05: outl(operand_1, 0xcf8); result = inl(0xcfc); break; case 0x08: if (result != operand_1) { pc += operand_2; } break; case 0x09: pc += operand_2; break; case 0x10: scratch = (scratch & operand_1) | operand_2; result = scratch; break; case 0x11: outb(operand_2, operand_1); break; case 0x12: result = inb(operand_1); break; case 0xee: goto stop_xcodes; default: break; } pc += 9; } stop_xcodes: } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 96114071095fb0b19f89c96b2510a4efb91f71a4 5644 5643 2017-06-01T16:35:03Z JayFoxRox 2 This is a more accurate description of what's going on wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { int run_xcodes = 1; register uint32_t pc; // stored in ESI register register uint8_t opcode; // stored in AL register register uint32_t operand_1; // stored in EBC register register uint32_t operand_2; // stored in ECX register register uint32_t result; // stored in EDI register register uint32_t scratch; // stored in EBP register // values are implied as x86 is just starting up operand_1 = 0; operand_2 = 0; scratch = 0; // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 5c94e96999b49d289f56cfbbebf65acdebfcf04c 5645 5644 2017-06-01T16:35:50Z JayFoxRox 2 /* Xcodes */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { register uint32_t pc; // stored in ESI register register uint8_t opcode; // stored in AL register register uint32_t operand_1; // stored in EBC register register uint32_t operand_2; // stored in ECX register register uint32_t result; // stored in EDI register register uint32_t scratch; // stored in EBP register // values are implied as x86 is just starting up operand_1 = 0; operand_2 = 0; scratch = 0; // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] f5e75410dafd3276ecd3f6e18e5e344ed24fb978 5646 5645 2017-06-01T16:36:57Z JayFoxRox 2 /* Xcodes */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 28ff3e5d88fac55802c7520cb6da6842a863b7b4 5647 5646 2017-06-01T16:41:54Z JayFoxRox 2 /* MCPX 1.0: RC4 Decryption of the 2BL */ wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === MCPX 1.0: RC4 Decryption of the 2BL === Version 1.0 of the ROM uses RC4 to decrypt the 2BL.{{FIXME|reason=MCPX 1.1 still uses RC4 afaik, TEA is only used for hashing.. which it is no good at ;) }} ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === Notes === The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. === MCPX 1.1: TEA Decryption of the 2BL === {{FIXME}} == 2BL == Certain parts are still missing === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 267617ad90d8a46dee0cb09922e0938fbcad984a 0 3669 5648 5529 2017-06-02T16:57:19Z JayFoxRox 2 Various small changes wikitext text/x-wiki There are 7{{citation needed|reason=What about debug kits? mcpx revisions? RAM changes? .. should we even try to count?}} Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [[Video Encoder]] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * Removed data and power lines from LPC port * Xcalibur video chip * Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] c48d981ff2492001e0b481817b01e07a621ef16e 0 1 5649 5611 2017-06-03T15:54:17Z JayFoxRox 2 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[DVD-IR Internals]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] ffc640d1344208e9a79e1bd40d40e67a2c35e905 5651 5649 2017-06-03T15:59:16Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU|CPU (Custom Pentium 3 733 MHz)]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[DVD-IR Internals]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] e3bd9a587caa664ddb5baef8b12a3b36e67374bf 5661 5651 2017-06-04T01:15:45Z Espes 2484 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[DSP]] * [[Memory]] * [[Flash]] * [[MCPX]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[DVD-IR Internals]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] 07198b207da9ac83b8a21a1151baef580a0d0545 0 3789 5650 2017-06-03T15:57:48Z JayFoxRox 2 Created page with "== Notes == * http://euc.jp/periphs/xbox-controller.en.html" wikitext text/x-wiki == Notes == * http://euc.jp/periphs/xbox-controller.en.html 231dd84635e26e5afbe45d80f55a6d63a26fb4f5 0 3790 5652 2017-06-03T16:03:16Z JayFoxRox 2 Dummy wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Notes |- |} 506a6db2ac9cccbbcbf1b4cae5474c32010a2f31 0 3772 5653 5631 2017-06-03T20:48:22Z KaosEngineer 2482 /* Music visualization in fullscreen */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) == See Also == [[Hard Drive Files]] 0e2786c2e243da6180f65ddaa6c6ff24939b264a 5654 5653 2017-06-03T20:57:37Z KaosEngineer 2482 cite geiss-like from original WinAmp music visualization plugin (http://www.geisswerks.com/geiss/) wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss{{cite web url=http://www.geisswerks.com/geiss/}}-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) == See Also == [[Hard Drive Files]] 0bd31c3043119acaccf27e9cce3e688b6a7309c7 5655 5654 2017-06-03T21:28:24Z KaosEngineer 2482 update reference as {{cite url=...}} not what I wanted. What password someone needs to respond or robo give it back when asked for password wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) == See Also == [[Hard Drive Files]] 0e2786c2e243da6180f65ddaa6c6ff24939b264a 5656 5655 2017-06-03T22:30:28Z KaosEngineer 2482 /* Soundtrack name Easter-Egg (">") */ Steps to activate the easter egg wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) # Insert an audio CD and let it begin to play. # Stop the disk and step back in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Now you will enter the name of your soundtrack. You must enter the name exactly as: <<Eggsßox>> Including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". The "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 8f8539a5d77c9a8a82ae6c05888327349887f78e 5657 5656 2017-06-03T22:33:28Z KaosEngineer 2482 /* Soundtrack name Easter-Egg (">") */ updated activation text wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) Steps to activate Soundtrack Easter Egg: # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggsßox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". The "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 78f0c24a4a6d9b804192af4251d500311336fa14 5658 5657 2017-06-03T22:34:29Z KaosEngineer 2482 /* Soundtrack name Easter-Egg (">") */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) Steps to activate Soundtrack Easter Egg: # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggsßox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 0a39b03d24798d22f817625e268c853c8f28aec3 5659 5658 2017-06-03T22:36:54Z KaosEngineer 2482 /* Soundtrack name Easter-Egg (">") */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) === Steps to activate Soundtrack Easter Egg: === # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 3585652ea5b5306faaa02dca98d62ad1f705804d 5660 5659 2017-06-03T22:37:27Z KaosEngineer 2482 /* Steps to activate Soundtrack Easter Egg: */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 08a0c11206dd13db8137947b7a91fdc2a9a40bf0 5662 5660 2017-06-04T04:56:53Z KaosEngineer 2482 /* Hotkey to switch to HD modes */ Button combo to force 480p output of 5960 dash wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 3db75df6dc297ee6b484290d9c0297b1ef878a08 5663 5662 2017-06-04T05:05:07Z KaosEngineer 2482 /* Hotkey to switch to HD modes */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toogle between 480i and 480p. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 6a1e4fde5880dd49f3ed146a1cba576212cb4cf5 5664 5663 2017-06-04T05:06:00Z KaosEngineer 2482 /* Hotkey to switch to HD modes */ spelling error of toggle :( how stupid! wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 4fe3b66871b3394de48213dcf0116312d4c991fc 5665 5664 2017-06-04T07:28:04Z KaosEngineer 2482 /* Music visualization in fullscreen */ There's a second part to the visualization only visible using the DVD Playback kit remote control wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "Info" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield the cycle repeats with a different random solid bursts of color. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] ad2be2c7d68530555ace0c00c8f20cbebfec5597 5666 5665 2017-06-04T07:32:09Z KaosEngineer 2482 /* Music visualization in fullscreen */ Info to INFO wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield the cycle repeats with a different random solid bursts of color. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] a96ec6b0f443a8e9879a04637c003707b7057d5a 5667 5666 2017-06-04T07:35:17Z KaosEngineer 2482 /* Music visualization in fullscreen */ Last sentence split into two and wording changed up. wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. == See Also == [[Hard Drive Files]] 37c14b62f415efe1e58dffbfa2dbc01423078ce6 5668 5667 2017-06-04T07:50:31Z KaosEngineer 2482 /* Steps to activate Soundtrack Easter Egg: */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. == See Also == [[Hard Drive Files]] eab43b1d79ad095985c596e4117f40d34e21cefa 5669 5668 2017-06-04T07:53:51Z KaosEngineer 2482 /* Music visualization in fullscreen */ missing , in Once the music visualization... wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. == See Also == [[Hard Drive Files]] 4ca4f3b813fc92b5cc4c0105ccd4bbf9cedd5334 5674 5669 2017-06-04T13:14:27Z KaosEngineer 2482 /* Music visualization in fullscreen */ Eject stops music playback and when full screen starfield displays.(really you can always see it as part of the visualizer along with the color burst wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. == See Also == [[Hard Drive Files]] 69f6e8714eb1c70d5376e1cdc3c532c2cc3136e8 5675 5674 2017-06-04T13:30:06Z KaosEngineer 2482 /* Hidden features */ Parental Control Bypass wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: # X, Y, Left trigger, X SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. == See Also == [[Hard Drive Files]] 69b2274a20a0ccab8ffbf8f29dddb80dc2961b81 5676 5675 2017-06-04T13:30:59Z KaosEngineer 2482 /* Parental Control Bypass */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: # X, Y, Left trigger, X SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. == See Also == [[Hard Drive Files]] ca785f0193e81af214f4dbfa81e5e4e877292504 5677 5676 2017-06-04T13:32:37Z KaosEngineer 2482 /* Parental Control Bypass */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * X, Y, Left trigger, X SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. == See Also == [[Hard Drive Files]] 5a255309f3d0d59a2360a22d1e8e6365f23aef05 5678 5677 2017-06-04T13:39:00Z KaosEngineer 2482 /* Parental Control Bypass */ Disable pass code button sequence. wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * X, Y, Left trigger, X SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press "A" twice to be prompted, "Do you wish to delete the current pass code?". Select Yes or No. == See Also == [[Hard Drive Files]] 30619c87ec37c0000f581691c64279c02b1832c2 2 3791 5670 2017-06-04T09:48:31Z Haxar 2485 Created page with "I wanted to know how NV2A registers were being accessed from Xbox executables. So, I loaded IDA with Turok with the applied Xbox Flirt Signatures v.2 and took references from..." wikitext text/x-wiki I wanted to know how NV2A registers were being accessed from Xbox executables. So, I loaded IDA with Turok with the applied Xbox Flirt Signatures v.2 and took references from '''pbkit''' to help me out with this. '''D3D::CMiniport::MapRegisters''' is where it all begins. This is just a handful of subroutines from the '''D3D::CMiniport''' namespace. Every single access is annotated from '''pbkit'''. It has been very useful. <pre> // turok // using pbkit/outer.h // gpu == 0xfd000000 </pre> <pre> signed int __thiscall D3D::CMiniport::MapRegisters(void *this) { *(_DWORD *)this = 0xFD000000u; // VIDEO_BASE vFD001804 |= 4u; // NV_PBUS_PCI_NV_1_BUS_MASTER_ENABLED vFD600140 = 0; // PCRTC_INTR_EN_VBLANK_DISABLED vFD009140 = 0; // NV_PTIMER_INTR_EN_0_ALARM_DISABLED return 1; } </pre> <pre> signed int __thiscall D3D::CMiniport::LoadEngines(void *this) { void *v1; // edi@1 int gpu; // esi@1 int v3; // eax@1 int v4; // ecx@1 v1 = this; gpu = *(_DWORD *)this; v3 = *(_DWORD *)this + 6220; v4 = *(_DWORD *)v3; *(_DWORD *)v3 &= 0xFFFFFCFFu; *(_DWORD *)v3 = v4; *(_DWORD *)(gpu + 0x200) = 0xFFFFFFFFu; // NV_PMC_ENABLE_ALL_ENABLE *(_DWORD *)(gpu + 0x140) = *((_DWORD *)v1 + 45);// NV_PMC_INTR_EN_0 D3D::CMiniport::HalDacLoad(v1); // PCRTC_INTR_EN_VBLANK_ENABLED *(_DWORD *)(gpu + 0x9400) = 0; // NV_PTIMER_TIME_0 *(_DWORD *)(gpu + 0x9410) = 0; // NV_PTIMER_TIME_1 *(_DWORD *)(gpu + 0x400720) = 0; // NV_PGRAPH_FIFO_ACCESS_DISABLE D3D::CMiniport::HalGrControlLoad(v1); *(_DWORD *)(gpu + 0x400100) = 0xFFFFFFFFu; // NV_PGRAPH_INTR_ALL_ENABLE *(_DWORD *)(gpu + 0x400140) = 0xFFFFFFFFu; // NV_PGRAPH_INTR_EN_ALL_ENABLE D3D::CMiniport::HalFifoControlLoad(v1); *(_DWORD *)(gpu + 0x2100) = 0xFFFFFFFFu; // NV_PFIFO_INTR_0_ALL_RESET *(_DWORD *)(gpu + 0x2140) = *((_DWORD *)v1 + 71);// NV_PFIFO_INTR_EN_0 *((_DWORD *)v1 + 528) = 0xFFFFFFFFu; *((_DWORD *)v1 + 529) = 0xFFFFFFFFu; *((_DWORD *)v1 + 520) = 0; *((_DWORD *)v1 + 521) = 0; return 1; } </pre> <pre> int __thiscall D3D::CMiniport::HalDacLoad(void *this) { int gpu; // eax@1 gpu = *(_DWORD *)this; *(_DWORD *)(*(_DWORD *)this + 6291712) = 1; *(_DWORD *)(gpu + 0x600140) = 1; // PCRTC_INTR_EN_VBLANK_ENABLED return gpu; } </pre> <pre> int __thiscall D3D::CMiniport::HalGrControlLoad(int this) { int v1; // edi@1 int gpu; // esi@1 int v3; // eax@1 signed int v4; // edx@1 int v5; // eax@1 int v6; // ebp@2 int v7; // ebp@2 int v8; // ebp@2 int v9; // eax@3 int v10; // edx@4 int v11; // ebp@4 char v12; // zf@4 int v13; // eax@5 int v14; // eax@5 int v15; // eax@5 signed int v17; // [sp+14h] [bp-4h]@3 v1 = this; gpu = *(_DWORD *)this; v3 = *(_DWORD *)this + 512; *(_DWORD *)v3 &= 0xFFFFEFFFu; *(_DWORD *)v3 |= 0x1000u; *(_DWORD *)(this + 2028) = 0; *(_DWORD *)(this + 2044) = 0; // NV_PGRAPH_DEBUG_4 *(_DWORD *)(this + 2056) = 0; // NV_PGRAPH_UNKNOWN_400B84 *(_DWORD *)(this + 2068) = 0; // NV_PGRAPH_UNKNOWN_400B88 *(_DWORD *)(this + 2032) = 0x118700u; // NV_PGRAPH_DEBUG_1 *(_DWORD *)(this + 2036) = 0x28C3FFu; // NV_PGRAPH_DEBUG_7 *(_DWORD *)(this + 2040) = 0xF3DE0479u; // NV_PGRAPH_DEBUG_3 *(_DWORD *)(this + 2048) = 4; // NV_PGRAPH_DEBUG_5 *(_DWORD *)(this + 2052) = 0x45EAD10Eu; // NV_PGRAPH_UNKNOWN_400B80 *(_DWORD *)(this + 2060) = 0x78u; // NV_PGRAPH_UNKNOWN_400098 *(_DWORD *)(this + 2064) = 0x40u; // NV_PGRAPH_UNKNOWN_40009C *(_DWORD *)(gpu + 0x400080) = 0; // NV_PGRAPH_DEBUG_0_NO_RESET *(_DWORD *)(gpu + 0x400084) = *(_DWORD *)(this + 2032);// NV_PGRAPH_DEBUG_1 *(_DWORD *)(gpu + 0x400880) = *(_DWORD *)(this + 2036);// NV_PGRAPH_DEBUG_7 *(_DWORD *)(gpu + 0x40008C) = *(_DWORD *)(this + 2040);// NV_PGRAPH_DEBUG_3 *(_DWORD *)(gpu + 0x400090) = *(_DWORD *)(this + 2044);// NV_PGRAPH_DEBUG_4 *(_DWORD *)(gpu + 0x400094) = *(_DWORD *)(this + 2048);// NV_PGRAPH_DEBUG_5 *(_DWORD *)(gpu + 0x400B80) = *(_DWORD *)(this + 2052);// NV_PGRAPH_UNKNOWN_400B80 *(_DWORD *)(gpu + 0x400B84) = *(_DWORD *)(this + 2056);// NV_PGRAPH_UNKNOWN_400B84 *(_DWORD *)(gpu + 0x400098) = *(_DWORD *)(this + 2060);// NV_PGRAPH_UNKNOWN_400098 *(_DWORD *)(gpu + 0x40009C) = *(_DWORD *)(this + 2064);// NV_PGRAPH_UNKNOWN_40009C *(_DWORD *)(gpu + 0x400B88) = *(_DWORD *)(this + 2068);// NV_PGRAPH_UNKNOWN_400B88 *(_DWORD *)(gpu + 0x400780) = *(_DWORD *)(this + 320) & 0xFFFF;// NV_PGRAPH_CHANNEL_CTX_TABLE D3D::CMiniport::HalGrIdle((void *)this); v4 = 80; v5 = gpu + 0x400904; // NV_PGRAPH_TLIMIT_XBOX do { v6 = *(_DWORD *)(v5 - 0x3006C0); // NV_PFB_TLIMIT *(_DWORD *)v5 = v6; // NV_PGRAPH_TLIMIT_XBOX *(_DWORD *)(gpu + 0x400750) = (v4 - 32) & 0x1FFC | 0xEA0000;// NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v6; // NV_PGRAPH_RDI_DATA v7 = *(_DWORD *)(v5 - 0x3006BC); // NV_PFB_TSIZE *(_DWORD *)(v5 + 4) = v7; // NV_PGRAPH_TSIZE_XBOX *(_DWORD *)(gpu + 0x400750) = v4 & 0x1FFC | 0xEA0000;// NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v7; // NV_PGRAPH_RDI_DATA v8 = *(_DWORD *)(v5 - 0x3006C4); // NV_PFB_TILE *(_DWORD *)(v5 - 4) = v8; // NV_PGRAPH_TILE_XBOX *(_DWORD *)(gpu + 0x400750) = (v4 - 64) & 0x1FFC | 0xEA0000;// NV_PGRAPH_RDI_INDEX v4 += 4; v5 += 0x10u; *(_DWORD *)(gpu + 0x400754) = v8; // NV_PGRAPH_RDI_DATA } while ( v4 < 112 ); v9 = gpu + 0x400980; // NV_PGRAPH_ZCOMP_XBOX v17 = 8; do { v10 = *(_DWORD *)(v9 - 0x300680); // NV_PFB_ZCOMP *(_DWORD *)v9 = v10; // NV_PGRAPH_ZCOMP_XBOX v11 = (v9 + 0xFFBFF710 - gpu) & 0x1FFC | 0xEA0000;// (0x90) & 0x1FFC | 0xEA0000 v9 += 4; v12 = v17-- == 1; *(_DWORD *)(gpu + 0x400750) = v11; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v10; // NV_PGRAPH_RDI_DATA } while ( !v12 ); v13 = *(_DWORD *)(gpu + 0x100324); // NV_PFB_ZCOMP_OFFSET *(_DWORD *)(gpu + 0x4009A0) = v13; // NV_PGRAPH_ZCOMP_OFFSET_XBOX *(_DWORD *)(gpu + 0x400750) = 0xEA000Cu; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v13; // NV_PGRAPH_RDI_DATA v14 = *(_DWORD *)(gpu + 0x100200); // NV_PFB_CFG0 *(_DWORD *)(gpu + 0x4009A4) = v14; // NV_PGRAPH_CFG0_XBOX *(_DWORD *)(gpu + 0x400750) = 0xEA0000u; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v14; // NV_PGRAPH_RDI_DATA v15 = *(_DWORD *)(gpu + 0x100204); // NV_PFB_CFG1 *(_DWORD *)(gpu + 0x4009A8) = v15; // NV_PGRAPH_CFG1_XBOX *(_DWORD *)(gpu + 0x400750) = 0xEA0004u; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v15; // NV_PGRAPH_RDI_DATA *(_DWORD *)(gpu + 0x40014C) = 0; // NV_PGRAPH_CTX_SWITCH1_ALL_DISABLE *(_DWORD *)(gpu + 0x400150) = 0; // NV_PGRAPH_CTX_SWITCH2_ALL_DISABLE *(_DWORD *)(gpu + 0x400154) = 0; // NV_PGRAPH_CTX_SWITCH3_ALL_DISABLE *(_DWORD *)(gpu + 0x400158) = 0; // NV_PGRAPH_CTX_SWITCH4_ALL_DISABLE *(_DWORD *)(gpu + 0x400144) = 0x10000000u; // NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED *(_DWORD *)(gpu + 0x400764) = 0x8000000u; // NV_PGRAPH_FFINTFC_ST2_CHID_STATUS_VALID return D3D::CMiniport::HalGrLoadChannelContext((void *)v1, *(_DWORD *)(v1 + 308)); } int __thiscall D3D::CMiniport::HalGrIdle(void *this) { void *v1; // edi@1 int gpu; // esi@1 int result; // eax@1 int v4; // ebx@2 v1 = this; gpu = *(_DWORD *)this; result = *(_DWORD *)(*(_DWORD *)this + 4196096); if ( result ) { do { v4 = *(_DWORD *)(gpu + 0x100); // NV_PBUS_ROM_VERSION_MASK if ( BYTE1(v4) & 0x10 ) result = unknown_libname_835(v1); if ( v4 & 0x1000000 ) result = D3D::CMiniport::VBlank(v1); } while ( *(_DWORD *)(gpu + 0x400700) ); // NV_PGRAPH_STATUS_NOT_BUSY (while BUSY) } return result; } int __thiscall unknown_libname_835(void *this) { int gpu; // esi@1 int v2; // eax@1 int v3; // ebx@1 int v4; // edi@1 void *v6; // [sp+0h] [bp-4h]@1 v6 = this; gpu = *(_DWORD *)this; *(_DWORD *)(*(_DWORD *)this + 0x400720) = 0; // NV_PGRAPH_FIFO_ACCESS_DISABLE v2 = *(_DWORD *)(gpu + 0x400100); // NV_PGRAPH_INTR v3 = *(_DWORD *)(gpu + 0x400108); // NV_PGRAPH_NSOURCE v4 = *(_DWORD *)(gpu + 0x400704) & 0x1FFC; // NV_PGRAPH_TRAPPED_ADDR_MTHD if ( !(BYTE1(v2) & 0x10) ) // NV_PGRAPH_INTR_MISSING_HW_PENDING goto LABEL_14; *(_DWORD *)(gpu + 0x400100) = 0x1000u; // NV_PGRAPH_INTR_CONTEXT_SWITCH_PENDING while ( *(_DWORD *)(*(_DWORD *)this + 0x400700) )// NV_PGRAPH_STATUS_NOT_BUSY (while BUSY) ; D3D::CMiniport::HalGrLoadChannelContext(this, ((unsigned int)v4 >> 20) & 0x1F); v2 = *(_DWORD *)(gpu + 0x400100); // NV_PGRAPH_INTR if ( v2 ) { LABEL_14: *(_DWORD *)(gpu + 0x400100) = v2; // NV_PGRAPH_INTR if ( v3 && v2 & 0x100001 && !(v3 & 0x40) ) // NV_PGRAPH_NSOURCE && NV_PGRAPH_INTR & NV_PGRAPH_INTR_NOTIFY_PENDING|NV_PGRAPH_INTR_ERROR_PENDING && !(NV_PGRAPH_NSOURCE & NV_PGRAPH_NSOURCE_ILLEGAL_MTHD_PENDING) { if ( v4 == 0x100 ) // NV_PGRAPH_TRAPPED_ADDR_MTHD { D3D::CMiniport::SoftwareMethod(v6, *(_DWORD *)(gpu + 0x400708));// NV_PGRAPH_TRAPPED_DATA_LOW } else { unknown_libname_837( "Graphics hardware error information:\n Source: %08x\n ChID: %d\n Class: %x\n Method: %08x\n Data: %08x\n Get: %08x\n", v3, // NV_PGRAPH_NSOURCE ((unsigned int)v4 >> 20) & 0x1F, // NV_PGRAPH_TRAPPED_ADDR_CHID *(_DWORD *)(gpu + 0x40014C) & 0xFF, // NV_PGRAPH_CTX_SWITCH1_GRCLASS v4, // NV_PGRAPH_TRAPPED_ADDR_MTHD *(_DWORD *)(gpu + 0x400708), // NV_PGRAPH_TRAPPED_DATA_LOW vFD003244 | 0x80000000); // NV_PFIFO_CACHE1_DMA_GET __debugbreak(); } } } *(_DWORD *)(gpu + 0x400720) = 1; // NV_PGRAPH_FIFO_ACCESS_ENABLE return *(_DWORD *)(gpu + 0x400100); // NV_PGRAPH_INTR } //TODO D3D::CMiniport::VBlank int __thiscall D3D::CMiniport::HalGrLoadChannelContext(void *this, int a2) { void *v2; // ebx@1 int gpu; // esi@1 int v4; // edx@3 int result; // eax@6 signed int v6; // eax@8 int v7; // edi@10 int v8; // esi@10 int v9; // [sp+Ch] [bp-4h]@3 v2 = this; gpu = *(_DWORD *)this; if ( *(_DWORD *)(*(_DWORD *)this + 4194560) ) unknown_libname_835(this); v9 = *(_DWORD *)(gpu + 0x400720); // NV_PGRAPH_FIFO *(_DWORD *)(gpu + 0x400720) = 0; // NV_PGRAPH_FIFO_ACCESS_DISABLE D3D::CMiniport::HalGrIdle(v2); v4 = a2; if ( *((_DWORD *)v2 + 77) != a2 ) { D3D::CMiniport::HalGrUnloadChannelContext(v2, *((_DWORD *)v2 + 77)); v4 = a2; } *((_DWORD *)v2 + 77) = v4; if ( v4 == 2 ) { *(_DWORD *)(gpu + 0x400144) = 0x10000100u; // NV_PGRAPH_CTX_CONTROL_TIME_NOT_EXPIRED|NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED result = v9 | 1; *(_DWORD *)(gpu + 0x400764) = 0x8000000u; // NV_PGRAPH_FFINTFC_ST2_CHID_STATUS_VALID *(_DWORD *)(gpu + 0x400720) = v9 | 1; // NV_PGRAPH_FIFO_ACCESS_ENABLE } else { if ( *((_DWORD *)v2 + v4 + 81) ) { *(_DWORD *)(gpu + 0x400080) = 0x70000u; // NV_PGRAPH_DEBUG_0_IDX_STATE_RESET|NV_PGRAPH_DEBUG_0_VTX_STATE_RESET|NV_PGRAPH_DEBUG_0_CAS_STATE_RESET *(_DWORD *)(gpu + 0x400080) = 0; // NV_PGRAPH_DEBUG_0_NO_RESET *(_DWORD *)(gpu + 0x400750) = 0x3D0000u; // NV_PGRAPH_RDI_INDEX_SELECT v6 = 15; do { --v6; *(_DWORD *)(gpu + 0x400754) = 0; // NV_PGRAPH_RDI_DATA } while ( v6 ); } *(_DWORD *)(gpu + 0x400084) |= 0x1000000u; // NV_PGRAPH_DEBUG_1_CACHE_INVALIDATE v7 = (v4 & 0x1F) << 24; *(_DWORD *)(gpu + 0x400148) = v7; // NV_PGRAPH_CTX_USER *(_DWORD *)(gpu + 0x400784) = *((_DWORD *)v2 + a2 + 78) & 0xFFFF;// NV_PGRAPH_CHANNEL_CTX_POINTER_INST *(_DWORD *)(gpu + 0x400788) = 1; // NV_PGRAPH_CHANNEL_CTX_STATUS_LOADED D3D::CMiniport::HalGrIdle(v2); *(_DWORD *)(gpu + 0x400148) = v7 | *(_DWORD *)(gpu + 0x400148) & 0xE0FFFFFF;// NV_PGRAPH_CTX_USER_CHID (inverted mask) *(_DWORD *)(gpu + 0x400144) = 0x10010100u; // NV_PGRAPH_CTX_CONTROL_TIME_NOT_EXPIRED|NV_PGRAPH_CTX_CONTROL_CHID_VALID|NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED v8 = gpu + 0x400764; // NV_PGRAPH_FFINTFC_ST2 result = *(_DWORD *)v8 & 0xCFFFFFFF; // NV_PGRAPH_FFINTFC_ST2_CHSWITCH_CLEAR&NV_PGRAPH_FFINTFC_ST2_FIFOHOLD_CLEAR *(_DWORD *)v8 = result; // NV_PGRAPH_FFINTFC_ST2 } return result; } int __thiscall D3D::CMiniport::HalGrUnloadChannelContext(void *this, int a2) { int result; // eax@1 int gpu; // esi@1 result = a2; gpu = *(_DWORD *)this; if ( a2 != 2 ) { *(_DWORD *)(gpu + 0x400784) = *((_DWORD *)this + a2 + 78) & 0xFFFF;// NV_PGRAPH_CHANNEL_CTX_POINTER_INST *(_DWORD *)(gpu + 0x400788) = 2; // NV_PGRAPH_CHANNEL_CTX_STATUS_UNLOADED result = D3D::CMiniport::HalGrIdle(this); *(_DWORD *)(gpu + 0x400144) = 0x10000000u; // NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED } return result; } </pre> <pre> int __thiscall D3D::CMiniport::HalFifoControlLoad(void *this) { int gpu; // esi@1 int result; // eax@1 gpu = *(_DWORD *)this; *(_DWORD *)(*(_DWORD *)this + 12836) = 0xF0078u; *(_DWORD *)(gpu + 0x2044) = 0x101FFFFu; // NV_PFIFO_DMA_TIMESLICE_SELECT_128K|NV_PFIFO_DMA_TIMESLICE_TIMEOUT_ENABLED *(_DWORD *)(gpu + 0x2040) = *((_DWORD *)this + 72) & 0x3FF;// NV_PFIFO_DELAY_0_WAIT_RETRY *(_DWORD *)(gpu + 0x2500) = 0; // NV_PFIFO_CACHES_ALL_DISABLE *(_DWORD *)(gpu + 0x3000) = 0; // NV_PFIFO_CACHE0_PUSH0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3050) = 0; // NV_PFIFO_CACHE0_PULL0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3200) = 0; // NV_PFIFO_CACHE1_PUSH0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3250) = 0; // NV_PFIFO_CACHE1_PULL0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3220) = 0; // NV_PFIFO_CACHE1_DMA_PUSH_ACCESS_DISABLE result = D3D::CMiniport::HalFifoContextSwitch(this, 1); *(_DWORD *)(gpu + 0x3210) = 0; // NV_PFIFO_CACHE1_PUT_ADDRESS *(_DWORD *)(gpu + 0x3270) = 0; // NV_PFIFO_CACHE1_GET_ADDRESS *(_DWORD *)(gpu + 0x3250) = 1; // NV_PFIFO_CACHE1_PULL0_ACCESS_ENABLE *(_DWORD *)(gpu + 0x3200) = 1; // NV_PFIFO_CACHE1_PUSH0_ACCESS_ENABLE *(_DWORD *)(gpu + 0x2500) = 1; // NV_PFIFO_CACHES_REASSIGN_ENABLED *(_DWORD *)(gpu + 0x2500) = 0; // NV_PFIFO_CACHES_ALL_DISABLE return result; } int __thiscall D3D::CMiniport::HalFifoContextSwitch(void *this, int a2_switch) { void *v2; // esi@1 int gpu; // eax@1 int v4; // ebx@1 int v5; // ecx@1 int v6; // edx@1 int v7; // ecx@2 int v8; // edx@8 int v9; // [sp+Ch] [bp-14h]@1 int v10; // [sp+10h] [bp-10h]@1 int v11; // [sp+14h] [bp-Ch]@1 signed int v12; // [sp+1Ch] [bp-4h]@2 v2 = this; gpu = *(_DWORD *)this; v4 = *((_DWORD *)this + 74); // unknown1 v9 = *(_DWORD *)(*(_DWORD *)this + 9472); v10 = *(_DWORD *)(*(_DWORD *)this + 12800); v11 = *(_DWORD *)(*(_DWORD *)this + 12880); *(_DWORD *)(*(_DWORD *)this + 9472) = 0; *(_DWORD *)(gpu + 0x3200) = 0; // NV_PFIFO_CACHE1_PUSH0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3250) = 0; // NV_PFIFO_CACHE1_PULL0_ACCESS_DISABLE v5 = *(_DWORD *)(gpu + 0x3204) & 0x1F; // NV_PFIFO_CACHE1_PUSH1_CHID v6 = gpu + v4 + ((*(_DWORD *)(gpu + 0x3204) & 0x1F) << 6);// unknown2 *(_DWORD *)v6 = *(_DWORD *)(gpu + 0x3240); // NV_PFIFO_CACHE1_DMA_PUT *(_DWORD *)(v6 + 4) = *(_DWORD *)(gpu + 0x3244);// NV_PFIFO_CACHE1_DMA_GET *(_DWORD *)(v6 + 8) = *(_DWORD *)(gpu + 0x3248);// NV_PFIFO_CACHE1_REF *(_DWORD *)(v6 + 12) = *(_DWORD *)(gpu + 0x322C);// NV_PFIFO_CACHE1_DMA_INSTANCE *(_DWORD *)(v6 + 16) = *(_DWORD *)(gpu + 0x3228);// NV_PFIFO_CACHE1_DMA_STATE *(_DWORD *)(v6 + 20) = *(_DWORD *)(gpu + 0x3224);// NV_PFIFO_CACHE1_DMA_FETCH *(_DWORD *)(v6 + 24) = *(_DWORD *)(gpu + 0x3280);// NV_PFIFO_CACHE1_ENGINE *(_DWORD *)(v6 + 28) = *(_DWORD *)(gpu + 0x3254);// NV_PFIFO_CACHE1_PULL1 *(_DWORD *)(v6 + 32) = *(_DWORD *)(gpu + 0x3268);// NV_PFIFO_CACHE1_ACQUIRE_2 *(_DWORD *)(v6 + 36) = *(_DWORD *)(gpu + 0x3264);// NV_PFIFO_CACHE1_ACQUIRE_1 *(_DWORD *)(v6 + 40) = *(_DWORD *)(gpu + 0x3260);// NV_PFIFO_CACHE1_ACQUIRE_0 *(_DWORD *)(v6 + 44) = *(_DWORD *)(gpu + 0x326C);// NV_PFIFO_CACHE1_SEMAPHORE *(_DWORD *)(v6 + 48) = *(_DWORD *)(gpu + 0x324C);// NV_PFIFO_CACHE1_DMA_SUBROUTINE if ( *(_DWORD *)(gpu + 0x3204) & 0x100 ) // NV_PFIFO_CACHE1_PUSH1_MODE_DMA { v12 = 1 << v5; v7 = *(_DWORD *)(gpu + 0x2508) & ~(1 << v5);// NV_PFIFO_DMA if ( *(_DWORD *)(gpu + 0x3240) != *(_DWORD *)(gpu + 0x3244) )// NV_PFIFO_CACHE1_DMA_PUT != NV_PFIFO_CACHE1_DMA_GET v7 |= v12; *(_DWORD *)(gpu + 0x2508) = v7; // NV_PFIFO_DMA } *(_DWORD *)(gpu + 0x3204) = a2_switch & 0x1F; // NV_PFIFO_CACHE1_PUSH1_CHID if ( (1 << a2_switch) & *((_DWORD *)v2 + 65) && a2_switch != 1 ) *(_DWORD *)(gpu + 0x3204) |= 0x100u; // NV_PFIFO_CACHE1_PUSH1_MODE_DMA v8 = v4 + (a2_switch << 6) + gpu; // unknown3 *(_DWORD *)(gpu + 0x3240) = *(_DWORD *)v8; // NV_PFIFO_CACHE1_DMA_PUT *(_DWORD *)(gpu + 0x3244) = *(_DWORD *)(v8 + 4);// NV_PFIFO_CACHE1_DMA_GET *(_DWORD *)(gpu + 0x3248) = *(_DWORD *)(v8 + 8);// NV_PFIFO_CACHE1_REF *(_DWORD *)(gpu + 0x322C) = *(_DWORD *)(v8 + 12);// NV_PFIFO_CACHE1_DMA_INSTANCE *(_DWORD *)(gpu + 0x3228) = *(_DWORD *)(v8 + 16);// NV_PFIFO_CACHE1_DMA_STATE *(_DWORD *)(gpu + 0x3224) = *(_DWORD *)(v8 + 20);// NV_PFIFO_CACHE1_DMA_FETCH *(_DWORD *)(gpu + 0x3280) = *(_DWORD *)(v8 + 24);// NV_PFIFO_CACHE1_ENGINE *(_DWORD *)(gpu + 0x3254) = *(_DWORD *)(v8 + 28);// NV_PFIFO_CACHE1_PULL1 *(_DWORD *)(gpu + 0x3268) = *(_DWORD *)(v8 + 32);// NV_PFIFO_CACHE1_ACQUIRE_2 *(_DWORD *)(gpu + 0x3264) = *(_DWORD *)(v8 + 36);// NV_PFIFO_CACHE1_ACQUIRE_1 *(_DWORD *)(gpu + 0x3260) = *(_DWORD *)(v8 + 40);// NV_PFIFO_CACHE1_ACQUIRE_0 *(_DWORD *)(gpu + 0x326C) = *(_DWORD *)(v8 + 44);// NV_PFIFO_CACHE1_SEMAPHORE *(_DWORD *)(gpu + 0x324C) = *(_DWORD *)(v8 + 48);// NV_PFIFO_CACHE1_DMA_SUBROUTINE if ( (1 << a2_switch) & *((_DWORD *)v2 + 65) && a2_switch != 1 ) *(_DWORD *)(gpu + 0x3220) = 1; // NV_PFIFO_CACHE1_DMA_PUSH_ACCESS_ENABLE *(_DWORD *)(gpu + 0x204C) = 0x1FFFFFu; // NV_PFIFO_TIMESLICE_TIMER_EXPIRED *(_DWORD *)(gpu + 0x3250) = v11; // NV_PFIFO_CACHE1_PULL0 *(_DWORD *)(gpu + 0x3200) = v10; // NV_PFIFO_CACHE1_PUSH0 *(_DWORD *)(gpu + 0x2500) = v9; // NV_PFIFO_CACHES return gpu; } </pre> 7d6fe5cb962df3df26935b0b5780bc91e1a2794d 5672 5670 2017-06-04T09:51:02Z Haxar 2485 wikitext text/x-wiki === NV2A register access from D3D8 === I wanted to know how NV2A registers were being accessed from Xbox executables. So, I loaded IDA with Turok with the applied Xbox Flirt Signatures v.2 and took references from '''pbkit''' to help me out with this. '''D3D::CMiniport::MapRegisters''' is where it all begins. This is just a handful of subroutines from the '''D3D::CMiniport''' namespace. Every single access is annotated from '''pbkit'''. It has been very useful. <pre> // turok // using pbkit/outer.h // gpu == 0xfd000000 </pre> <pre> signed int __thiscall D3D::CMiniport::MapRegisters(void *this) { *(_DWORD *)this = 0xFD000000u; // VIDEO_BASE vFD001804 |= 4u; // NV_PBUS_PCI_NV_1_BUS_MASTER_ENABLED vFD600140 = 0; // PCRTC_INTR_EN_VBLANK_DISABLED vFD009140 = 0; // NV_PTIMER_INTR_EN_0_ALARM_DISABLED return 1; } </pre> <pre> signed int __thiscall D3D::CMiniport::LoadEngines(void *this) { void *v1; // edi@1 int gpu; // esi@1 int v3; // eax@1 int v4; // ecx@1 v1 = this; gpu = *(_DWORD *)this; v3 = *(_DWORD *)this + 6220; v4 = *(_DWORD *)v3; *(_DWORD *)v3 &= 0xFFFFFCFFu; *(_DWORD *)v3 = v4; *(_DWORD *)(gpu + 0x200) = 0xFFFFFFFFu; // NV_PMC_ENABLE_ALL_ENABLE *(_DWORD *)(gpu + 0x140) = *((_DWORD *)v1 + 45);// NV_PMC_INTR_EN_0 D3D::CMiniport::HalDacLoad(v1); // PCRTC_INTR_EN_VBLANK_ENABLED *(_DWORD *)(gpu + 0x9400) = 0; // NV_PTIMER_TIME_0 *(_DWORD *)(gpu + 0x9410) = 0; // NV_PTIMER_TIME_1 *(_DWORD *)(gpu + 0x400720) = 0; // NV_PGRAPH_FIFO_ACCESS_DISABLE D3D::CMiniport::HalGrControlLoad(v1); *(_DWORD *)(gpu + 0x400100) = 0xFFFFFFFFu; // NV_PGRAPH_INTR_ALL_ENABLE *(_DWORD *)(gpu + 0x400140) = 0xFFFFFFFFu; // NV_PGRAPH_INTR_EN_ALL_ENABLE D3D::CMiniport::HalFifoControlLoad(v1); *(_DWORD *)(gpu + 0x2100) = 0xFFFFFFFFu; // NV_PFIFO_INTR_0_ALL_RESET *(_DWORD *)(gpu + 0x2140) = *((_DWORD *)v1 + 71);// NV_PFIFO_INTR_EN_0 *((_DWORD *)v1 + 528) = 0xFFFFFFFFu; *((_DWORD *)v1 + 529) = 0xFFFFFFFFu; *((_DWORD *)v1 + 520) = 0; *((_DWORD *)v1 + 521) = 0; return 1; } </pre> <pre> int __thiscall D3D::CMiniport::HalDacLoad(void *this) { int gpu; // eax@1 gpu = *(_DWORD *)this; *(_DWORD *)(*(_DWORD *)this + 6291712) = 1; *(_DWORD *)(gpu + 0x600140) = 1; // PCRTC_INTR_EN_VBLANK_ENABLED return gpu; } </pre> <pre> int __thiscall D3D::CMiniport::HalGrControlLoad(int this) { int v1; // edi@1 int gpu; // esi@1 int v3; // eax@1 signed int v4; // edx@1 int v5; // eax@1 int v6; // ebp@2 int v7; // ebp@2 int v8; // ebp@2 int v9; // eax@3 int v10; // edx@4 int v11; // ebp@4 char v12; // zf@4 int v13; // eax@5 int v14; // eax@5 int v15; // eax@5 signed int v17; // [sp+14h] [bp-4h]@3 v1 = this; gpu = *(_DWORD *)this; v3 = *(_DWORD *)this + 512; *(_DWORD *)v3 &= 0xFFFFEFFFu; *(_DWORD *)v3 |= 0x1000u; *(_DWORD *)(this + 2028) = 0; *(_DWORD *)(this + 2044) = 0; // NV_PGRAPH_DEBUG_4 *(_DWORD *)(this + 2056) = 0; // NV_PGRAPH_UNKNOWN_400B84 *(_DWORD *)(this + 2068) = 0; // NV_PGRAPH_UNKNOWN_400B88 *(_DWORD *)(this + 2032) = 0x118700u; // NV_PGRAPH_DEBUG_1 *(_DWORD *)(this + 2036) = 0x28C3FFu; // NV_PGRAPH_DEBUG_7 *(_DWORD *)(this + 2040) = 0xF3DE0479u; // NV_PGRAPH_DEBUG_3 *(_DWORD *)(this + 2048) = 4; // NV_PGRAPH_DEBUG_5 *(_DWORD *)(this + 2052) = 0x45EAD10Eu; // NV_PGRAPH_UNKNOWN_400B80 *(_DWORD *)(this + 2060) = 0x78u; // NV_PGRAPH_UNKNOWN_400098 *(_DWORD *)(this + 2064) = 0x40u; // NV_PGRAPH_UNKNOWN_40009C *(_DWORD *)(gpu + 0x400080) = 0; // NV_PGRAPH_DEBUG_0_NO_RESET *(_DWORD *)(gpu + 0x400084) = *(_DWORD *)(this + 2032);// NV_PGRAPH_DEBUG_1 *(_DWORD *)(gpu + 0x400880) = *(_DWORD *)(this + 2036);// NV_PGRAPH_DEBUG_7 *(_DWORD *)(gpu + 0x40008C) = *(_DWORD *)(this + 2040);// NV_PGRAPH_DEBUG_3 *(_DWORD *)(gpu + 0x400090) = *(_DWORD *)(this + 2044);// NV_PGRAPH_DEBUG_4 *(_DWORD *)(gpu + 0x400094) = *(_DWORD *)(this + 2048);// NV_PGRAPH_DEBUG_5 *(_DWORD *)(gpu + 0x400B80) = *(_DWORD *)(this + 2052);// NV_PGRAPH_UNKNOWN_400B80 *(_DWORD *)(gpu + 0x400B84) = *(_DWORD *)(this + 2056);// NV_PGRAPH_UNKNOWN_400B84 *(_DWORD *)(gpu + 0x400098) = *(_DWORD *)(this + 2060);// NV_PGRAPH_UNKNOWN_400098 *(_DWORD *)(gpu + 0x40009C) = *(_DWORD *)(this + 2064);// NV_PGRAPH_UNKNOWN_40009C *(_DWORD *)(gpu + 0x400B88) = *(_DWORD *)(this + 2068);// NV_PGRAPH_UNKNOWN_400B88 *(_DWORD *)(gpu + 0x400780) = *(_DWORD *)(this + 320) & 0xFFFF;// NV_PGRAPH_CHANNEL_CTX_TABLE D3D::CMiniport::HalGrIdle((void *)this); v4 = 80; v5 = gpu + 0x400904; // NV_PGRAPH_TLIMIT_XBOX do { v6 = *(_DWORD *)(v5 - 0x3006C0); // NV_PFB_TLIMIT *(_DWORD *)v5 = v6; // NV_PGRAPH_TLIMIT_XBOX *(_DWORD *)(gpu + 0x400750) = (v4 - 32) & 0x1FFC | 0xEA0000;// NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v6; // NV_PGRAPH_RDI_DATA v7 = *(_DWORD *)(v5 - 0x3006BC); // NV_PFB_TSIZE *(_DWORD *)(v5 + 4) = v7; // NV_PGRAPH_TSIZE_XBOX *(_DWORD *)(gpu + 0x400750) = v4 & 0x1FFC | 0xEA0000;// NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v7; // NV_PGRAPH_RDI_DATA v8 = *(_DWORD *)(v5 - 0x3006C4); // NV_PFB_TILE *(_DWORD *)(v5 - 4) = v8; // NV_PGRAPH_TILE_XBOX *(_DWORD *)(gpu + 0x400750) = (v4 - 64) & 0x1FFC | 0xEA0000;// NV_PGRAPH_RDI_INDEX v4 += 4; v5 += 0x10u; *(_DWORD *)(gpu + 0x400754) = v8; // NV_PGRAPH_RDI_DATA } while ( v4 < 112 ); v9 = gpu + 0x400980; // NV_PGRAPH_ZCOMP_XBOX v17 = 8; do { v10 = *(_DWORD *)(v9 - 0x300680); // NV_PFB_ZCOMP *(_DWORD *)v9 = v10; // NV_PGRAPH_ZCOMP_XBOX v11 = (v9 + 0xFFBFF710 - gpu) & 0x1FFC | 0xEA0000;// (0x90) & 0x1FFC | 0xEA0000 v9 += 4; v12 = v17-- == 1; *(_DWORD *)(gpu + 0x400750) = v11; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v10; // NV_PGRAPH_RDI_DATA } while ( !v12 ); v13 = *(_DWORD *)(gpu + 0x100324); // NV_PFB_ZCOMP_OFFSET *(_DWORD *)(gpu + 0x4009A0) = v13; // NV_PGRAPH_ZCOMP_OFFSET_XBOX *(_DWORD *)(gpu + 0x400750) = 0xEA000Cu; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v13; // NV_PGRAPH_RDI_DATA v14 = *(_DWORD *)(gpu + 0x100200); // NV_PFB_CFG0 *(_DWORD *)(gpu + 0x4009A4) = v14; // NV_PGRAPH_CFG0_XBOX *(_DWORD *)(gpu + 0x400750) = 0xEA0000u; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v14; // NV_PGRAPH_RDI_DATA v15 = *(_DWORD *)(gpu + 0x100204); // NV_PFB_CFG1 *(_DWORD *)(gpu + 0x4009A8) = v15; // NV_PGRAPH_CFG1_XBOX *(_DWORD *)(gpu + 0x400750) = 0xEA0004u; // NV_PGRAPH_RDI_INDEX *(_DWORD *)(gpu + 0x400754) = v15; // NV_PGRAPH_RDI_DATA *(_DWORD *)(gpu + 0x40014C) = 0; // NV_PGRAPH_CTX_SWITCH1_ALL_DISABLE *(_DWORD *)(gpu + 0x400150) = 0; // NV_PGRAPH_CTX_SWITCH2_ALL_DISABLE *(_DWORD *)(gpu + 0x400154) = 0; // NV_PGRAPH_CTX_SWITCH3_ALL_DISABLE *(_DWORD *)(gpu + 0x400158) = 0; // NV_PGRAPH_CTX_SWITCH4_ALL_DISABLE *(_DWORD *)(gpu + 0x400144) = 0x10000000u; // NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED *(_DWORD *)(gpu + 0x400764) = 0x8000000u; // NV_PGRAPH_FFINTFC_ST2_CHID_STATUS_VALID return D3D::CMiniport::HalGrLoadChannelContext((void *)v1, *(_DWORD *)(v1 + 308)); } int __thiscall D3D::CMiniport::HalGrIdle(void *this) { void *v1; // edi@1 int gpu; // esi@1 int result; // eax@1 int v4; // ebx@2 v1 = this; gpu = *(_DWORD *)this; result = *(_DWORD *)(*(_DWORD *)this + 4196096); if ( result ) { do { v4 = *(_DWORD *)(gpu + 0x100); // NV_PBUS_ROM_VERSION_MASK if ( BYTE1(v4) & 0x10 ) result = unknown_libname_835(v1); if ( v4 & 0x1000000 ) result = D3D::CMiniport::VBlank(v1); } while ( *(_DWORD *)(gpu + 0x400700) ); // NV_PGRAPH_STATUS_NOT_BUSY (while BUSY) } return result; } int __thiscall unknown_libname_835(void *this) { int gpu; // esi@1 int v2; // eax@1 int v3; // ebx@1 int v4; // edi@1 void *v6; // [sp+0h] [bp-4h]@1 v6 = this; gpu = *(_DWORD *)this; *(_DWORD *)(*(_DWORD *)this + 0x400720) = 0; // NV_PGRAPH_FIFO_ACCESS_DISABLE v2 = *(_DWORD *)(gpu + 0x400100); // NV_PGRAPH_INTR v3 = *(_DWORD *)(gpu + 0x400108); // NV_PGRAPH_NSOURCE v4 = *(_DWORD *)(gpu + 0x400704) & 0x1FFC; // NV_PGRAPH_TRAPPED_ADDR_MTHD if ( !(BYTE1(v2) & 0x10) ) // NV_PGRAPH_INTR_MISSING_HW_PENDING goto LABEL_14; *(_DWORD *)(gpu + 0x400100) = 0x1000u; // NV_PGRAPH_INTR_CONTEXT_SWITCH_PENDING while ( *(_DWORD *)(*(_DWORD *)this + 0x400700) )// NV_PGRAPH_STATUS_NOT_BUSY (while BUSY) ; D3D::CMiniport::HalGrLoadChannelContext(this, ((unsigned int)v4 >> 20) & 0x1F); v2 = *(_DWORD *)(gpu + 0x400100); // NV_PGRAPH_INTR if ( v2 ) { LABEL_14: *(_DWORD *)(gpu + 0x400100) = v2; // NV_PGRAPH_INTR if ( v3 && v2 & 0x100001 && !(v3 & 0x40) ) // NV_PGRAPH_NSOURCE && NV_PGRAPH_INTR & NV_PGRAPH_INTR_NOTIFY_PENDING|NV_PGRAPH_INTR_ERROR_PENDING && !(NV_PGRAPH_NSOURCE & NV_PGRAPH_NSOURCE_ILLEGAL_MTHD_PENDING) { if ( v4 == 0x100 ) // NV_PGRAPH_TRAPPED_ADDR_MTHD { D3D::CMiniport::SoftwareMethod(v6, *(_DWORD *)(gpu + 0x400708));// NV_PGRAPH_TRAPPED_DATA_LOW } else { unknown_libname_837( "Graphics hardware error information:\n Source: %08x\n ChID: %d\n Class: %x\n Method: %08x\n Data: %08x\n Get: %08x\n", v3, // NV_PGRAPH_NSOURCE ((unsigned int)v4 >> 20) & 0x1F, // NV_PGRAPH_TRAPPED_ADDR_CHID *(_DWORD *)(gpu + 0x40014C) & 0xFF, // NV_PGRAPH_CTX_SWITCH1_GRCLASS v4, // NV_PGRAPH_TRAPPED_ADDR_MTHD *(_DWORD *)(gpu + 0x400708), // NV_PGRAPH_TRAPPED_DATA_LOW vFD003244 | 0x80000000); // NV_PFIFO_CACHE1_DMA_GET __debugbreak(); } } } *(_DWORD *)(gpu + 0x400720) = 1; // NV_PGRAPH_FIFO_ACCESS_ENABLE return *(_DWORD *)(gpu + 0x400100); // NV_PGRAPH_INTR } //TODO D3D::CMiniport::VBlank int __thiscall D3D::CMiniport::HalGrLoadChannelContext(void *this, int a2) { void *v2; // ebx@1 int gpu; // esi@1 int v4; // edx@3 int result; // eax@6 signed int v6; // eax@8 int v7; // edi@10 int v8; // esi@10 int v9; // [sp+Ch] [bp-4h]@3 v2 = this; gpu = *(_DWORD *)this; if ( *(_DWORD *)(*(_DWORD *)this + 4194560) ) unknown_libname_835(this); v9 = *(_DWORD *)(gpu + 0x400720); // NV_PGRAPH_FIFO *(_DWORD *)(gpu + 0x400720) = 0; // NV_PGRAPH_FIFO_ACCESS_DISABLE D3D::CMiniport::HalGrIdle(v2); v4 = a2; if ( *((_DWORD *)v2 + 77) != a2 ) { D3D::CMiniport::HalGrUnloadChannelContext(v2, *((_DWORD *)v2 + 77)); v4 = a2; } *((_DWORD *)v2 + 77) = v4; if ( v4 == 2 ) { *(_DWORD *)(gpu + 0x400144) = 0x10000100u; // NV_PGRAPH_CTX_CONTROL_TIME_NOT_EXPIRED|NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED result = v9 | 1; *(_DWORD *)(gpu + 0x400764) = 0x8000000u; // NV_PGRAPH_FFINTFC_ST2_CHID_STATUS_VALID *(_DWORD *)(gpu + 0x400720) = v9 | 1; // NV_PGRAPH_FIFO_ACCESS_ENABLE } else { if ( *((_DWORD *)v2 + v4 + 81) ) { *(_DWORD *)(gpu + 0x400080) = 0x70000u; // NV_PGRAPH_DEBUG_0_IDX_STATE_RESET|NV_PGRAPH_DEBUG_0_VTX_STATE_RESET|NV_PGRAPH_DEBUG_0_CAS_STATE_RESET *(_DWORD *)(gpu + 0x400080) = 0; // NV_PGRAPH_DEBUG_0_NO_RESET *(_DWORD *)(gpu + 0x400750) = 0x3D0000u; // NV_PGRAPH_RDI_INDEX_SELECT v6 = 15; do { --v6; *(_DWORD *)(gpu + 0x400754) = 0; // NV_PGRAPH_RDI_DATA } while ( v6 ); } *(_DWORD *)(gpu + 0x400084) |= 0x1000000u; // NV_PGRAPH_DEBUG_1_CACHE_INVALIDATE v7 = (v4 & 0x1F) << 24; *(_DWORD *)(gpu + 0x400148) = v7; // NV_PGRAPH_CTX_USER *(_DWORD *)(gpu + 0x400784) = *((_DWORD *)v2 + a2 + 78) & 0xFFFF;// NV_PGRAPH_CHANNEL_CTX_POINTER_INST *(_DWORD *)(gpu + 0x400788) = 1; // NV_PGRAPH_CHANNEL_CTX_STATUS_LOADED D3D::CMiniport::HalGrIdle(v2); *(_DWORD *)(gpu + 0x400148) = v7 | *(_DWORD *)(gpu + 0x400148) & 0xE0FFFFFF;// NV_PGRAPH_CTX_USER_CHID (inverted mask) *(_DWORD *)(gpu + 0x400144) = 0x10010100u; // NV_PGRAPH_CTX_CONTROL_TIME_NOT_EXPIRED|NV_PGRAPH_CTX_CONTROL_CHID_VALID|NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED v8 = gpu + 0x400764; // NV_PGRAPH_FFINTFC_ST2 result = *(_DWORD *)v8 & 0xCFFFFFFF; // NV_PGRAPH_FFINTFC_ST2_CHSWITCH_CLEAR&NV_PGRAPH_FFINTFC_ST2_FIFOHOLD_CLEAR *(_DWORD *)v8 = result; // NV_PGRAPH_FFINTFC_ST2 } return result; } int __thiscall D3D::CMiniport::HalGrUnloadChannelContext(void *this, int a2) { int result; // eax@1 int gpu; // esi@1 result = a2; gpu = *(_DWORD *)this; if ( a2 != 2 ) { *(_DWORD *)(gpu + 0x400784) = *((_DWORD *)this + a2 + 78) & 0xFFFF;// NV_PGRAPH_CHANNEL_CTX_POINTER_INST *(_DWORD *)(gpu + 0x400788) = 2; // NV_PGRAPH_CHANNEL_CTX_STATUS_UNLOADED result = D3D::CMiniport::HalGrIdle(this); *(_DWORD *)(gpu + 0x400144) = 0x10000000u; // NV_PGRAPH_CTX_CONTROL_DEVICE_ENABLED } return result; } </pre> <pre> int __thiscall D3D::CMiniport::HalFifoControlLoad(void *this) { int gpu; // esi@1 int result; // eax@1 gpu = *(_DWORD *)this; *(_DWORD *)(*(_DWORD *)this + 12836) = 0xF0078u; *(_DWORD *)(gpu + 0x2044) = 0x101FFFFu; // NV_PFIFO_DMA_TIMESLICE_SELECT_128K|NV_PFIFO_DMA_TIMESLICE_TIMEOUT_ENABLED *(_DWORD *)(gpu + 0x2040) = *((_DWORD *)this + 72) & 0x3FF;// NV_PFIFO_DELAY_0_WAIT_RETRY *(_DWORD *)(gpu + 0x2500) = 0; // NV_PFIFO_CACHES_ALL_DISABLE *(_DWORD *)(gpu + 0x3000) = 0; // NV_PFIFO_CACHE0_PUSH0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3050) = 0; // NV_PFIFO_CACHE0_PULL0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3200) = 0; // NV_PFIFO_CACHE1_PUSH0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3250) = 0; // NV_PFIFO_CACHE1_PULL0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3220) = 0; // NV_PFIFO_CACHE1_DMA_PUSH_ACCESS_DISABLE result = D3D::CMiniport::HalFifoContextSwitch(this, 1); *(_DWORD *)(gpu + 0x3210) = 0; // NV_PFIFO_CACHE1_PUT_ADDRESS *(_DWORD *)(gpu + 0x3270) = 0; // NV_PFIFO_CACHE1_GET_ADDRESS *(_DWORD *)(gpu + 0x3250) = 1; // NV_PFIFO_CACHE1_PULL0_ACCESS_ENABLE *(_DWORD *)(gpu + 0x3200) = 1; // NV_PFIFO_CACHE1_PUSH0_ACCESS_ENABLE *(_DWORD *)(gpu + 0x2500) = 1; // NV_PFIFO_CACHES_REASSIGN_ENABLED *(_DWORD *)(gpu + 0x2500) = 0; // NV_PFIFO_CACHES_ALL_DISABLE return result; } int __thiscall D3D::CMiniport::HalFifoContextSwitch(void *this, int a2_switch) { void *v2; // esi@1 int gpu; // eax@1 int v4; // ebx@1 int v5; // ecx@1 int v6; // edx@1 int v7; // ecx@2 int v8; // edx@8 int v9; // [sp+Ch] [bp-14h]@1 int v10; // [sp+10h] [bp-10h]@1 int v11; // [sp+14h] [bp-Ch]@1 signed int v12; // [sp+1Ch] [bp-4h]@2 v2 = this; gpu = *(_DWORD *)this; v4 = *((_DWORD *)this + 74); // unknown1 v9 = *(_DWORD *)(*(_DWORD *)this + 9472); v10 = *(_DWORD *)(*(_DWORD *)this + 12800); v11 = *(_DWORD *)(*(_DWORD *)this + 12880); *(_DWORD *)(*(_DWORD *)this + 9472) = 0; *(_DWORD *)(gpu + 0x3200) = 0; // NV_PFIFO_CACHE1_PUSH0_ACCESS_DISABLE *(_DWORD *)(gpu + 0x3250) = 0; // NV_PFIFO_CACHE1_PULL0_ACCESS_DISABLE v5 = *(_DWORD *)(gpu + 0x3204) & 0x1F; // NV_PFIFO_CACHE1_PUSH1_CHID v6 = gpu + v4 + ((*(_DWORD *)(gpu + 0x3204) & 0x1F) << 6);// unknown2 *(_DWORD *)v6 = *(_DWORD *)(gpu + 0x3240); // NV_PFIFO_CACHE1_DMA_PUT *(_DWORD *)(v6 + 4) = *(_DWORD *)(gpu + 0x3244);// NV_PFIFO_CACHE1_DMA_GET *(_DWORD *)(v6 + 8) = *(_DWORD *)(gpu + 0x3248);// NV_PFIFO_CACHE1_REF *(_DWORD *)(v6 + 12) = *(_DWORD *)(gpu + 0x322C);// NV_PFIFO_CACHE1_DMA_INSTANCE *(_DWORD *)(v6 + 16) = *(_DWORD *)(gpu + 0x3228);// NV_PFIFO_CACHE1_DMA_STATE *(_DWORD *)(v6 + 20) = *(_DWORD *)(gpu + 0x3224);// NV_PFIFO_CACHE1_DMA_FETCH *(_DWORD *)(v6 + 24) = *(_DWORD *)(gpu + 0x3280);// NV_PFIFO_CACHE1_ENGINE *(_DWORD *)(v6 + 28) = *(_DWORD *)(gpu + 0x3254);// NV_PFIFO_CACHE1_PULL1 *(_DWORD *)(v6 + 32) = *(_DWORD *)(gpu + 0x3268);// NV_PFIFO_CACHE1_ACQUIRE_2 *(_DWORD *)(v6 + 36) = *(_DWORD *)(gpu + 0x3264);// NV_PFIFO_CACHE1_ACQUIRE_1 *(_DWORD *)(v6 + 40) = *(_DWORD *)(gpu + 0x3260);// NV_PFIFO_CACHE1_ACQUIRE_0 *(_DWORD *)(v6 + 44) = *(_DWORD *)(gpu + 0x326C);// NV_PFIFO_CACHE1_SEMAPHORE *(_DWORD *)(v6 + 48) = *(_DWORD *)(gpu + 0x324C);// NV_PFIFO_CACHE1_DMA_SUBROUTINE if ( *(_DWORD *)(gpu + 0x3204) & 0x100 ) // NV_PFIFO_CACHE1_PUSH1_MODE_DMA { v12 = 1 << v5; v7 = *(_DWORD *)(gpu + 0x2508) & ~(1 << v5);// NV_PFIFO_DMA if ( *(_DWORD *)(gpu + 0x3240) != *(_DWORD *)(gpu + 0x3244) )// NV_PFIFO_CACHE1_DMA_PUT != NV_PFIFO_CACHE1_DMA_GET v7 |= v12; *(_DWORD *)(gpu + 0x2508) = v7; // NV_PFIFO_DMA } *(_DWORD *)(gpu + 0x3204) = a2_switch & 0x1F; // NV_PFIFO_CACHE1_PUSH1_CHID if ( (1 << a2_switch) & *((_DWORD *)v2 + 65) && a2_switch != 1 ) *(_DWORD *)(gpu + 0x3204) |= 0x100u; // NV_PFIFO_CACHE1_PUSH1_MODE_DMA v8 = v4 + (a2_switch << 6) + gpu; // unknown3 *(_DWORD *)(gpu + 0x3240) = *(_DWORD *)v8; // NV_PFIFO_CACHE1_DMA_PUT *(_DWORD *)(gpu + 0x3244) = *(_DWORD *)(v8 + 4);// NV_PFIFO_CACHE1_DMA_GET *(_DWORD *)(gpu + 0x3248) = *(_DWORD *)(v8 + 8);// NV_PFIFO_CACHE1_REF *(_DWORD *)(gpu + 0x322C) = *(_DWORD *)(v8 + 12);// NV_PFIFO_CACHE1_DMA_INSTANCE *(_DWORD *)(gpu + 0x3228) = *(_DWORD *)(v8 + 16);// NV_PFIFO_CACHE1_DMA_STATE *(_DWORD *)(gpu + 0x3224) = *(_DWORD *)(v8 + 20);// NV_PFIFO_CACHE1_DMA_FETCH *(_DWORD *)(gpu + 0x3280) = *(_DWORD *)(v8 + 24);// NV_PFIFO_CACHE1_ENGINE *(_DWORD *)(gpu + 0x3254) = *(_DWORD *)(v8 + 28);// NV_PFIFO_CACHE1_PULL1 *(_DWORD *)(gpu + 0x3268) = *(_DWORD *)(v8 + 32);// NV_PFIFO_CACHE1_ACQUIRE_2 *(_DWORD *)(gpu + 0x3264) = *(_DWORD *)(v8 + 36);// NV_PFIFO_CACHE1_ACQUIRE_1 *(_DWORD *)(gpu + 0x3260) = *(_DWORD *)(v8 + 40);// NV_PFIFO_CACHE1_ACQUIRE_0 *(_DWORD *)(gpu + 0x326C) = *(_DWORD *)(v8 + 44);// NV_PFIFO_CACHE1_SEMAPHORE *(_DWORD *)(gpu + 0x324C) = *(_DWORD *)(v8 + 48);// NV_PFIFO_CACHE1_DMA_SUBROUTINE if ( (1 << a2_switch) & *((_DWORD *)v2 + 65) && a2_switch != 1 ) *(_DWORD *)(gpu + 0x3220) = 1; // NV_PFIFO_CACHE1_DMA_PUSH_ACCESS_ENABLE *(_DWORD *)(gpu + 0x204C) = 0x1FFFFFu; // NV_PFIFO_TIMESLICE_TIMER_EXPIRED *(_DWORD *)(gpu + 0x3250) = v11; // NV_PFIFO_CACHE1_PULL0 *(_DWORD *)(gpu + 0x3200) = v10; // NV_PFIFO_CACHE1_PUSH0 *(_DWORD *)(gpu + 0x2500) = v9; // NV_PFIFO_CACHES return gpu; } </pre> 9f8cf619303c865856e693f9060a40962ccf3661 2 3770 5671 5556 2017-06-04T09:49:59Z Haxar 2485 wikitext text/x-wiki === GitHub === * [https://github.com/haxar/cxbx-shogun Cxbx w/ Wine support.] === R&D === * [[User:Haxar/fastcall|fastcall routines from rgrep]] * [[User:Haxar/NV2A|NV2A register access from D3D8]] 377ad2089f09c95525b0708a5a93d1bf80befaba 0 3700 5673 5406 2017-06-04T12:27:50Z JayFoxRox 2 /* Security Sectors (SS.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |- |44 || u8[20] || SHA-1 hash || Hash until here (of the complete format) |- |64 || u8[256] || Signature || For hash in previous field |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, the 44 first bytes of this structure are SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1503 || Unknown1 || || Unknown, hash at offset 44 not confirmed for this Unknown1 struct |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 830ff93d7b71c685223049333a58a715c443d3f7 5679 5673 2017-06-04T14:11:25Z JayFoxRox 2 /* Security Sectors (SS.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (320 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 345aa616cf5c82c627be0464cb3b219bc5ddbf18 5680 5679 2017-06-04T14:15:26Z JayFoxRox 2 /* Security Sectors (SS.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== 2048 Bytes READ DVD STRUCTURE with format 0x04 ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] f8bb6c640275c57eed109cbcbee698a916c0dae0 0 3704 5681 5362 2017-06-05T09:50:29Z JayFoxRox 2 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. There are four retail drives known to be used by Microsoft in the retail version of the console. any xbox dvd drive can be used in any retail xbox. Development kits can use and read debug signed code from these drives. Other drives that might work are firmware modded PC drives like Kreon drives. List of Xbox DVD Drive manufacturers * Thomson * Philips * Samsung * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ 86583aeccaef11e9bdedaf25f803f68399375a69 5682 5681 2017-06-05T10:08:26Z JayFoxRox 2 /* MODE SENSE and MODE SELECT */ wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. There are four retail drives known to be used by Microsoft in the retail version of the console. any xbox dvd drive can be used in any retail xbox. Development kits can use and read debug signed code from these drives. Other drives that might work are firmware modded PC drives like Kreon drives. List of Xbox DVD Drive manufacturers * Thomson * Philips * Samsung * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ 453997436744482968d9c504f5cecfaca8dfb2fe 0 3792 5683 2017-06-06T13:22:49Z JayFoxRox 2 File format list I still had on my hdd wikitext text/x-wiki == File formats == Audio: * wav [ffmpeg] * wma [ffmpeg] * dat / xwb * ini Video: * xmv [ffmpeg] Textures: * ? Animation: * none? Bones: * none? Shader: * ? f601155499c5919415bb5cc64c55fe8639217400 5685 5683 2017-06-06T13:25:22Z JayFoxRox 2 /* File formats */ wikitext text/x-wiki == File formats == Audio: * wav [ffmpeg] * wma [ffmpeg] * dat / xwb * ini Video: * xmv [ffmpeg] Textures: * ? Animation: * none? Bones: * none? Shader: * ? === PAK === This is an old, untested and incomplete tool to look at the header of a PAK file. <pre>#include <stdint.h> #include <stdio.h> #include <inttypes.h> static FILE* f = NULL; void chunk() { char magic[4]; fread(magic, 1, 4, f); uint32_t unk1; fread(&unk1, 1, 4, f); uint32_t unk2; fread(&unk2, 1, 4, f); uint32_t offset; fread(&offset, 1, 4, f); char* endMagic = "END\0"; char* indxMagic = "INDX"; char* wmshMagic = "WMSH"; char* textMagic = "TEXT"; // 32 byte payload? char* vbMagic = "VB\0\0"; printf("magic: '%.4s'\n", magic); printf("unk1: 0x%08" PRIX32 "\n", unk1); printf("unk2: 0x%08" PRIX32 "\n", unk2); printf("offset: %" PRIu32 " bytes\n", offset); if (!feof(f)) { chunk(); } } int main(int argc, char* argv[]) { f = fopen(argv[1], "rb"); if (f == NULL) { return 1; } // fseek(f, 16, SEEK_SET); chunk(); fclose(f); return 0; }</pre> d9ce81ad9fe3f4866d1480eb228ceb64d1651a99 5686 5685 2017-06-06T13:26:23Z JayFoxRox 2 wikitext text/x-wiki {{Game}} == File formats == Audio: * wav [ffmpeg] * wma [ffmpeg] * dat / xwb * ini Video: * xmv [ffmpeg] Textures: * ? Animation: * none? Bones: * none? Shader: * ? === PAK === This is an old, untested and incomplete tool to look at the header of a PAK file. <pre>#include <stdint.h> #include <stdio.h> #include <inttypes.h> static FILE* f = NULL; void chunk() { char magic[4]; fread(magic, 1, 4, f); uint32_t unk1; fread(&unk1, 1, 4, f); uint32_t unk2; fread(&unk2, 1, 4, f); uint32_t offset; fread(&offset, 1, 4, f); char* endMagic = "END\0"; char* indxMagic = "INDX"; char* wmshMagic = "WMSH"; char* textMagic = "TEXT"; // 32 byte payload? char* vbMagic = "VB\0\0"; printf("magic: '%.4s'\n", magic); printf("unk1: 0x%08" PRIX32 "\n", unk1); printf("unk2: 0x%08" PRIX32 "\n", unk2); printf("offset: %" PRIu32 " bytes\n", offset); if (!feof(f)) { chunk(); } } int main(int argc, char* argv[]) { f = fopen(argv[1], "rb"); if (f == NULL) { return 1; } // fseek(f, 16, SEEK_SET); chunk(); fclose(f); return 0; }</pre> 91a3126ebf7f22fedc7f2ab37575a53f5b9f5908 0 3793 5684 2017-06-06T13:24:01Z JayFoxRox 2 File format list I still had on my hdd wikitext text/x-wiki == File formats == Audio: * aix / adx [ffmpeg], Video: * sfd [ffmpeg] Textures: * dds [imagemagick convert] * tga [imagemagick convert] Material: * mit * bin (XSSB) Animation: * ? Bones: * ? Shader: * ? 1cd425b2255fb1b65ff4d79afbba7ea790ba5560 0 3793 5687 5684 2017-06-06T13:26:43Z JayFoxRox 2 wikitext text/x-wiki {{Game}} == File formats == Audio: * aix / adx [ffmpeg], Video: * sfd [ffmpeg] Textures: * dds [imagemagick convert] * tga [imagemagick convert] Material: * mit * bin (XSSB) Animation: * ? Bones: * ? Shader: * ? 646567e554d073df1a1eed96a2e166d95fa27d8d 0 3794 5688 2017-06-06T13:29:35Z JayFoxRox 2 Created page with "{{Game}} == Notes == * [https://github.com/JayFoxRox/top2ogg Tool to convert *.top video files to other formats]" wikitext text/x-wiki {{Game}} == Notes == * [https://github.com/JayFoxRox/top2ogg Tool to convert *.top video files to other formats] 046fc55c027cce90390ec502855eec4271c1fa35 0 3683 5689 5647 2017-06-06T14:15:36Z JayFoxRox 2 wikitext text/x-wiki == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 57d7b923f226b0af9f4cce812858e1a88931b944 0 3751 5690 5460 2017-06-06T14:42:21Z JayFoxRox 2 /* TEA attack */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20# hack === Uses a legacy x86 feature. === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd4FC which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400) this will become: <code>E9 83 01 00 80</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 543c16213c36b0b42598d08682caf7bd77630259 5691 5690 2017-06-06T14:45:59Z JayFoxRox 2 /* MCPX */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd4FC which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400) this will become: <code>E9 83 01 00 80</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 508ba29dd0565781b95a3732330815e2344c8d3e 5692 5691 2017-06-06T14:47:06Z JayFoxRox 2 /* A20# hack */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd4FC which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400) this will become: <code>E9 83 01 00 80</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] cab048496d60ec2190ab679d1099613c9cd51222 5718 5692 2017-06-18T19:04:13Z JayFoxRox 2 I've looked at the rom images myself now, the original address in andys post most be correct [BUT the attack should not work?]. investigating wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd404) this will become: <code>E9 83 01 00 80</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd408 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 3ba1e4c03438d636aec32a3aaed99edea974edbf 5720 5718 2017-06-18T21:58:05Z JayFoxRox 2 I'm stupid. Endianess wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] d96d1eaae937864d9ac1ba023d8514f9ce8dd4d7 5721 5720 2017-06-18T21:58:33Z JayFoxRox 2 /* TEA attack (MCPX 1.1 only) */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] b846da0557abb735bed5209462422543a0ad87e9 0 3795 5693 2017-06-07T00:11:37Z Haxar 2485 Created page with "{{Game}} == Map File Format (Iron_Forge whitepaper) == Halo 2 .map file format whitepaper originally by Iron_Forge. Created: 11/21/2004, 12:13:00, Iron_Forge. Filename: H2..." wikitext text/x-wiki {{Game}} == Map File Format (Iron_Forge whitepaper) == Halo 2 .map file format whitepaper originally by Iron_Forge. Created: 11/21/2004, 12:13:00, Iron_Forge. Filename: H2WhitePaper.doc Retrieved from [http://old.halomods.com old.halomods.com]. === 1 - General Information === ==== 1.1 - Introduction ==== Greetings. My name is Iron_Forge, and I have been working on and off with Halo map files of one type or another for a little over a year now. I have remained active in all areas of map formatting of Halo 1 for the xbox as well as the pc. Odds are if you have used an application for Halo 1, I have had a hand in it, or the information that led to its conception. I have been working on the Halo 2 map format since its release, and this document serves as a collection of the information I have compiled with the help of good friends MonoxideC and ViperNeo. Applying my experience from Halo 1 and other projects, I am one of a handful of people who could be considered experts on the map file formats. Using this document, I hope to pass this on to you. Many things are not contained within this document, for the simple reason of I did not figure out how they work (the BSP is a good example.) That’s not to say these things are still unknown. ViperNeo had the BSP information completed the same time we were working on models together, due to the strong similarity between them. ==== 1.2 - Glossary ==== '''dword''' – 4 bytes of data (double word) '''word''' – 2 bytes of data '''primary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it. '''secondary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it, primarily used for meta. '''pure offset''' – A value which represents an offset in the file that has not been modified in any way '''raw offset''' – A pure offset whose 2 most significant bits represent the file the offset references '''primary magic offset''' – A pure offset whose value has been increased by the primary magic value '''secondary magic offset''' – A pure offset whose value has been increased by the secondary magic value === 2 - Map Information === ==== 2.1 - Map Layout ==== The Halo 2 map files can be broken up into the following sections: header, sound raw data, model raw data, bsp model raw data, model animation raw data, bsp structure, script references, file names, unicode strings raw data, other, texture raw data, object index, index padding, object meta information, and finally the cache where applicable. ==== 2.2 - Processing ==== When Halo 2 is loaded, it will create cache files (copying the original files to the hard drive of the xbox). The shared and single player shared map files are exceptions to this rule, most likely to lower the load times of the game starting, and each map being processed. If your installation has valid bink video files, these will be played during load times, otherwise a progress text will appear on the screen showing the percentage copied. All loaded files are signed (see section on encryptomatic signature), and should a loading map fail, the engine will retry the copy twice more before giving a “dirty disk” error, or a “map failed to load” error, depending on the map. Upon loading a map, only the required resources are placed in memory. As objects appear on screen, the data for them is streamed from the shared files, replacing the very low copy kept in memory with a much richer and more detailed counterparts. This process allows even multiplayer maps to have access to several hundred megabytes of information, while remaining within the limitations of the xbox hardware. ==== 2.3 - Map Header ==== The map header1 is 2048 bytes just as previous versions of Halo. The version tag is now 8. The index offset is a pure offset pointing to the index header, followed by the meta start, which when added to the index offset will point to the beginning of the meta area. Map origin will define the path (and file) the cache was created from, and as such is only defined in the cache files. ===== 2.3.1 - File Table ===== The file table contains full paths for each object in relative order (first filename is for the first object.) The strings are standard ASCII, with a null termination and no padding is used regardless of where the string terminates. The file table index contains unsigned integers defining the offset which each string begins, also relative. This allows the file table to be read as a single block of characters, and each object to be issued a pointer to the beginning of its string. ===== 2.3.2 - Encryptomatic Signature ===== The encryptomatic signature is created by xoring every dword after the header together. It is my belief that this value has the single purpose of validating maps copied correctly, and was not used to “thwart” would be modders. ===== 2.3.3 - Script References ===== Script references link some object to a specific event. The string table defining these references is in the same format as the file table, including an index. They can often be found following dependencies such as effect dependencies. This would link that effect to be triggered by a given event, such as a button being pressed, or an item being picked up. The reference themselves consist of a pair of words, the first being the index to the string in the table, the second being the length of the script reference string. ==== 2.4 - Index Header ==== The first value in the index header remains the constant used to calculate magic. The object index offset here is a primary magic offset, and points to the object index. ===== 2.4.1 - Tag List ===== Directly following the index header is the tag list. This list contains all used tags in the map file, and defines their object hierarchy. This allows the engine to know for example, that all vehicles are a sub class of the unit class, which is a sub class of the object class. I believe the wildcard tags are used as a way of using the primary tag without its parents, though this is just speculation. ===== 2.4.2 - Object Index ===== The object index is a recursively-constructed collection defining all objects in the map. The objects identifier is defined here, which is used to reference the object from all other areas of the map file. The identifier is composed of two short values, each are incremented equally throughout the index. The meta offset is a secondary magic offset which points to the beginning of the objects meta. ===== 2.4.3 - Primary and Secondary Magic ===== The magic values are used to allow moving large blocks of data without having to modify the data itself. Using a magic value applied to all offsets, after moving the data x bytes, the magic only needs to be increased or decreased 8 to correct all offsets, rather than each offset needing re-calculation. Primary magic is still calculated by magic constant - (index header offset) + sizeof(index header)). Secondary magic, which is now used instead of primary magic for meta related offsets, is primary magic + sizeof(BSP). Since we cannot obtain the size of the BSP object without using secondary magic (it is located in the scenery tag), we use the known offset of the meta start and the secondary magic offset of the first object to calculate this value. === 3 - Objects === ==== 3.1 - Raw Offsets ==== Raw offsets in Halo 2 have no magic applied to them. However, they can reference the current map file, or the three shared files. To do this, it reserves the two most significant (highest) bits to define the referencing file. These are defined as: 002 being local file, 012 being mainmenu.map, 102 being shared.map, and 112 being single_player_shared.map. When referencing a raw offset, one should first determine the file being referenced, remove those two bits from the offset value (and with 0x3FFFFFFF), and then seek to that offset in the correct file to find the referenced data. Given the size of the shared files, it is possible that the third most significant bit is also reserved for sharing new downloadable content in the future, but this would just be speculation. ==== 3.2 - Unicode Strings ==== Unicode strings are built to allow for up to nine languages. The globals object defines where each language block is located, and its related information (size, string count, etc.) as needed. Each unicode string object then contains two shorts per language, the first defining the offset (as a string count) in the language block that the unicode object begins, and the second defining how many strings are in the object. This method allows the multiplayer maps to be identical for every version and region of Halo 2. The engine can simply detect you xbox language settings, and supply the correct string(s) form the language block. ==== 3.3 - Bitmaps & Textures ==== Bitmap objects are collections of the textures in Halo 2, and their layout is rather straightforward. Each texture is allowed up to six levels of detail. Each level of detail is identical to its predecessors first mipmap. So if the first quality level were 256x256, the following would be 128x128. Each level of detail however still contains its own entire set of mipmaps. I suspect this goes further towards Halo 2’s efficient use of memory management. Each bitmap object may also contain several images, usually used where options between similar sets of images are needed (such as multiple level images in the main menu.) These will be represented by the bitm struct reflexive. Each bitmap may be extracted as if it were its own object. Referencing the source to HME/HMT, we can find the different image formats for the different image objects. In addition to these types, 0x11 and 0x12 are both single channel images (you may extract them as A8 if using the common DDS), and are used for bump maps, and light maps (respectively.) Many images are still swizzled (a technique for faster memory copies), and this information may also be referenced from the HME/HMT sources. ==== 3.4 - Sounds ==== Sounds were probably the most enjoyable piece of Halo 2 to work on. They entwine with an “ugh!” object named “I’ve got a lovely bunch of coconuts”, a song done by the amazing comedic group Monty Python. I cannot help but believe this system was done as an easter egg designed just for me as “the curious modder”. To Bungie, I thank you (unless of course this was designed to keep us from removing sounds, in which case I sincerely apologize.) In each sound meta, there is an index and chunk count that references a block in the fifth reflexive in the coconuts object. This block has another index and chunk count, referencing the sixth reflexive in the coconuts object. These chunks reference “option” sounds, such as several different sound choices for entering a vehicle. Each item in the sixth block contains another index and chunk count, this time referencing the ninth reflexive in the coconuts object. The ninth reflexive contains the size and raw offset for each piece of the sound. Sounds in Halo 2 are xbox adpcm or WMA, depending on the type byte. The WMA sounds can be assembled completely from the raw data pieces. The xbox adpcm pieces require the header be written. If the type byte is 1, then the sound is an adpcm, mono, and 22050kbps sound file. Type 2 is also adpcm, stereo, and 44100kbps sound file. Type 3 is a WMA sound file. There is more to the sound formatting than this, however this was mare than enough for me to extract all the sounds. ==== 3.5 - Models ==== Models in Halo 2 use a compressed format based on a bounding box. This bounding box can be found in the first reflexive of the model meta. Using its constraints for each value relevant to the models, the uncompressed value can be found using the formula (((shortValue + 32768) / 65535) * (maxValue – minValue)) + minValue. The model raw data block now contains a header, footer, and several resource chunks. The header contains information regarding how many chunks are in each resource block, allowing you to determine which block contains the information needed (for example, if a given block has 0 chunks, then it will not have a corresponding resource block). The important resource blocks are the mesh information block (containing mesh information), the indices block (containing the indices for the triangle strip), the vertices block (containing at minimum 3 shorts defining the x, y, and z of the vertices), the UV map (containing the compressed UV points.), and the bone map. The third dword (as an unsigned integer) in each mesh information block defines how many indices are in that mesh. The indices are placed in order, so each meshes indices can be found after its predecessor in the indices resource block. The vertices are stored with several sized blocks within their resource block, however the x, y, and z points are still represented by the first 3 shorts respectively. The size of each vertex block can be determined by the type bytes in the model meta. Each short must then be decompressed using the above-mentioned formula and their own constraint value, min x and max x for x, and so on. If the given vertex type has more than 6 bytes, it is followed by the bone references and weights of this vertex. Both are one byte in length, and the bone references are sorted. Therefore if a bone with a value of 0 is read in any position other than the first, this bone reference should be discarded, as should all that follow. Following the bone references are their weights, which are also one byte in length, and can be considered compressed. The weights are a value between 0 an 1 once uncompressed, thus a byte with a weight of 128 will have a weight of 0.5 (or 50% deformation based on this bone.) The exception to this is the 8 byte vertices, where the two bytes following are both bones. If both are set, they each have a weight of 0.5, and if only one is set it is given full weight. The UV’s are slightly more complicated. They are compressed in the same fashion as the vertices. However, while UV’s must always remain between 0 and 1, their constraints are not governed by the same limits. The resulting uncompressed values can be fixed through “looping” them. If the value is 1.3, the resulting value would be 0.3, and given the value -0.3, the resulting value would be 0.7. The easiest way to accomplish this is to mod the resulting value by 1, and then if the value is negative, subtract it from 1. Since the bones have to act over several different pieces, each raw model block has a bone map, relating the bone byte to the correct bone id. This is a byte array, so if a vertex references bone 0, then boneMap[0] will provide the correct bone id. Back to the meta, the sixth reflexive in the model meta defines the bone hierarchy of the model. When parent, child, or sibling is none, the value will be set to 0xFFFF. These chunks are the bones which are mapped to from the raw data. The name is a script reference, and defines what the bone is called. The second reflexive defines all the level of details (LOD) for the model pieces. The name is again a script reference defining what this particular LOD is called. This is followed by a reflexive. This reflexive is for all the different options for the particular LOD (for example: base, default, damaged, etc.) Each of these reflexives consist of another script reference name, defining what this option is referred to as, followed by a series of 5 shorts. These shorts refer to the piece of the model which makes up one of the 5 LODs for this option. The last short (following the 5 LODs), defines the piece of the model which has the highest LOD (this should be equal to the 5th LOD value.) If a model only has 3 LODs, the first three LOD values will be the same, defining one piece to be used for all three levels. The seventh reflexive in the model meta defines a series of locations defining everything from where lights and other effects are located on a model, to where the characters place their hands while using the model. These are set by a script reference to link the point to, and the points location data. ==== 3.6 - Other Tags ==== For the most part, objects are quite similar to their Halo 1 counterparts. Usually there has been some general compacting of the data (the tags have been cleaned up, unused values removed), or a reflexive added here and there. Notable exceptions that I haven’t written about here (as lack of time and motivation kept me away) are the model animations, which now have large blocks of raw data. === 4 - In Closing === ==== 4.1 - Conclusion ==== In closing, I would like to say that not all the information enclosed here is guaranteed to be accurate. It is composed of my findings, and how I interpreted them at the time. Much of the structs are incomplete, as I tend to not write down things I figure out while seeking other answers, and I tried to only include solid information, instead of all my random notes. The information contained within these pages should be enough to get any one started, and take them to the point of being able to obtain any of the above items, and replace them with their own creations. I would like to thank all of you who read this far (and bothered reading this), and to you all, happy modding. ==== 4.2 - Acknowledgements ==== I would also once again like to thank MonoxideC and ViperNeo for their help in this. While they may remain modest, both were invaluable in explaining things I didn’t fully understand, bouncing ideas off, and just helping out anyway they could. The community is better for having them, and I better for knowing them. === 5 - Appendix I - Structures === <pre> struct mapHeader { char[4] head; int version; int filesize; int zero; int indexOffset; int metaStart; dword[2] unknown; char[32] mapOrigin; byte[224]unknown; char[32] build; byte[20] unknown; int unknown; int offsetToStrangeFileStrings; int unknown; int offsetToSomething; int scriptReferenceCount; int sizeOfScriptReference; int offsetToScriptReferenceIndex; int offsetToScriptReferenceStrings; byte[36] unknown; char[32] mapName; int zero; char[32] scenarioPath; byte[224] zero; int unknown; int fileCount; int fileTableOffset; int fileTableSize; int filesIndex; int signature; byte[1320] zero; char[4] foot; } struct indexHeader { int primaryMagicConstantMagic; int tagListCount; int objectIndexOffset; int scenarioID; int tagIDStart; int unknown; int objectCount; char[4] tags; } struct tagListEntry { char[4] objectClass; char[4] parentClass; char[4] grandparentClass; } struct objectEntry { char[4] tag; int ID; int offset; int metaSize; } struct unicMeta { uint[4] zero; short lang1Offset; short lang1Count; short lang2Offset; short lang2Count; short lang3Offset; short lang3Count; short lang4Offset; short lang4Count; short lang5Offset; short lang5Count; short lang6Offset; short lang6Count; short lang7Offset; short lang7Count; short lang8Offset; short lang8Count; short lang9Offset; short lang9Count; } struct bitmMeta { byte[68] data; struct image { char[4] bitm; ushort width; ushort height; ushort depth; ushort type; ushort format; ushort flags; ushort regPointX; ushort regPointY; ushort mipMapCount; ushort pixelOffset; uint zero; uint[6] offset; uint[6] size; uint identifier; byte[36] unknown; } } struct sndMeta { dword unknown; byte format; byte[3] unknown; short index; byte chunkCount; byte unknown; dword[2] unknown; } struct ughMeta { struct {} struct {} struct { scriptRef sound; } struct {} struct soundOptions { dword[2] unknown; short index; short chunkCount; } struct soundPieces { dword[3] unknown; short index; short chunkCount; } struct {} struct {} struct rawSound { uint rawOffset; uint size; uint eff; } struct {} struct {} } struct modeMeta { scriptRef modelName; dword val2; dword val3; dword zero; dword zero; struct boundingBox { float minX; float maxX; float minY; float maxY; float minZ; float maxZ; float minU; float maxU; float minV; float maxV; dword:4 zero; } struct LODs { scriptRef modelPiece; word sval1; // FFFF word sval2; // 0000 struct ref2.1 { scriptRef modelType; word LODPiece1; word LODPiece2; word LODPiece3; word LODPiece4; word LODPiece5; word LODPieceHigh; } } struct pieces { dword unknown; ushort vertCount; ushort unknown; byte[12] val1; ushort type; ushort unkown; dword val; dword[2] zero; dword[3] val; dword[2] zero; uint rawOffset; uint size; uint headerSize; dword val4; struct rsrc { word val; word val; word val; word val; uint size; uint offset; } dword identifier; dword val5; dword eff; } struct ref4 { dword zero; } struct ref5 { dword val1; dword:2 zero; } dword[3] zero; struct bones { scriptRef boneName ushort parent; ushort firstChild; ushort nextSibling; word val1; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float distanceFromParent; } dword[2] zero; struct points { scriptRef pointName; struct points { short; // 0xFFFF short; float[7] val; dword zero; } } struct shaders { dependancy shad; dependancy shad; dword:4 zero; } dword[7] zero; } struct modelHeader { char[4] blkh; uint size; uint informationChunks; uint zero; uint unkChunks; uint zero; uint unk2Chunks; uint[3] zero; uint indicesChunks; uint[5] zero; uint unk3Chunks; uint[10] zero; uint boneChunks; uint[2] zero; } </pre> dc0970f28bfc9402d957359e2700a419b7a2cdaa 5694 5693 2017-06-07T00:17:51Z Haxar 2485 wikitext text/x-wiki {{Game}} == Map File Format (Iron_Forge whitepaper) == Retrieved from [http://old.halomods.com old.halomods.com]. Halo 2 .map file format whitepaper originally by Iron_Forge. Filename: H2WhitePaper.doc Created: 11/21/2004, 12:13:00, Iron_Forge. Revision: 0.9b === 1 - General Information === ==== 1.1 - Introduction ==== Greetings. My name is Iron_Forge, and I have been working on and off with Halo map files of one type or another for a little over a year now. I have remained active in all areas of map formatting of Halo 1 for the xbox as well as the pc. Odds are if you have used an application for Halo 1, I have had a hand in it, or the information that led to its conception. I have been working on the Halo 2 map format since its release, and this document serves as a collection of the information I have compiled with the help of good friends MonoxideC and ViperNeo. Applying my experience from Halo 1 and other projects, I am one of a handful of people who could be considered experts on the map file formats. Using this document, I hope to pass this on to you. Many things are not contained within this document, for the simple reason of I did not figure out how they work (the BSP is a good example.) That’s not to say these things are still unknown. ViperNeo had the BSP information completed the same time we were working on models together, due to the strong similarity between them. ==== 1.2 - Glossary ==== '''dword''' – 4 bytes of data (double word) '''word''' – 2 bytes of data '''primary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it. '''secondary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it, primarily used for meta. '''pure offset''' – A value which represents an offset in the file that has not been modified in any way '''raw offset''' – A pure offset whose 2 most significant bits represent the file the offset references '''primary magic offset''' – A pure offset whose value has been increased by the primary magic value '''secondary magic offset''' – A pure offset whose value has been increased by the secondary magic value === 2 - Map Information === ==== 2.1 - Map Layout ==== The Halo 2 map files can be broken up into the following sections: header, sound raw data, model raw data, bsp model raw data, model animation raw data, bsp structure, script references, file names, unicode strings raw data, other, texture raw data, object index, index padding, object meta information, and finally the cache where applicable. ==== 2.2 - Processing ==== When Halo 2 is loaded, it will create cache files (copying the original files to the hard drive of the xbox). The shared and single player shared map files are exceptions to this rule, most likely to lower the load times of the game starting, and each map being processed. If your installation has valid bink video files, these will be played during load times, otherwise a progress text will appear on the screen showing the percentage copied. All loaded files are signed (see section on encryptomatic signature), and should a loading map fail, the engine will retry the copy twice more before giving a “dirty disk” error, or a “map failed to load” error, depending on the map. Upon loading a map, only the required resources are placed in memory. As objects appear on screen, the data for them is streamed from the shared files, replacing the very low copy kept in memory with a much richer and more detailed counterparts. This process allows even multiplayer maps to have access to several hundred megabytes of information, while remaining within the limitations of the xbox hardware. ==== 2.3 - Map Header ==== The map header1 is 2048 bytes just as previous versions of Halo. The version tag is now 8. The index offset is a pure offset pointing to the index header, followed by the meta start, which when added to the index offset will point to the beginning of the meta area. Map origin will define the path (and file) the cache was created from, and as such is only defined in the cache files. ===== 2.3.1 - File Table ===== The file table contains full paths for each object in relative order (first filename is for the first object.) The strings are standard ASCII, with a null termination and no padding is used regardless of where the string terminates. The file table index contains unsigned integers defining the offset which each string begins, also relative. This allows the file table to be read as a single block of characters, and each object to be issued a pointer to the beginning of its string. ===== 2.3.2 - Encryptomatic Signature ===== The encryptomatic signature is created by xoring every dword after the header together. It is my belief that this value has the single purpose of validating maps copied correctly, and was not used to “thwart” would be modders. ===== 2.3.3 - Script References ===== Script references link some object to a specific event. The string table defining these references is in the same format as the file table, including an index. They can often be found following dependencies such as effect dependencies. This would link that effect to be triggered by a given event, such as a button being pressed, or an item being picked up. The reference themselves consist of a pair of words, the first being the index to the string in the table, the second being the length of the script reference string. ==== 2.4 - Index Header ==== The first value in the index header remains the constant used to calculate magic. The object index offset here is a primary magic offset, and points to the object index. ===== 2.4.1 - Tag List ===== Directly following the index header is the tag list. This list contains all used tags in the map file, and defines their object hierarchy. This allows the engine to know for example, that all vehicles are a sub class of the unit class, which is a sub class of the object class. I believe the wildcard tags are used as a way of using the primary tag without its parents, though this is just speculation. ===== 2.4.2 - Object Index ===== The object index is a recursively-constructed collection defining all objects in the map. The objects identifier is defined here, which is used to reference the object from all other areas of the map file. The identifier is composed of two short values, each are incremented equally throughout the index. The meta offset is a secondary magic offset which points to the beginning of the objects meta. ===== 2.4.3 - Primary and Secondary Magic ===== The magic values are used to allow moving large blocks of data without having to modify the data itself. Using a magic value applied to all offsets, after moving the data x bytes, the magic only needs to be increased or decreased 8 to correct all offsets, rather than each offset needing re-calculation. Primary magic is still calculated by magic constant - (index header offset) + sizeof(index header)). Secondary magic, which is now used instead of primary magic for meta related offsets, is primary magic + sizeof(BSP). Since we cannot obtain the size of the BSP object without using secondary magic (it is located in the scenery tag), we use the known offset of the meta start and the secondary magic offset of the first object to calculate this value. === 3 - Objects === ==== 3.1 - Raw Offsets ==== Raw offsets in Halo 2 have no magic applied to them. However, they can reference the current map file, or the three shared files. To do this, it reserves the two most significant (highest) bits to define the referencing file. These are defined as: 002 being local file, 012 being mainmenu.map, 102 being shared.map, and 112 being single_player_shared.map. When referencing a raw offset, one should first determine the file being referenced, remove those two bits from the offset value (and with 0x3FFFFFFF), and then seek to that offset in the correct file to find the referenced data. Given the size of the shared files, it is possible that the third most significant bit is also reserved for sharing new downloadable content in the future, but this would just be speculation. ==== 3.2 - Unicode Strings ==== Unicode strings are built to allow for up to nine languages. The globals object defines where each language block is located, and its related information (size, string count, etc.) as needed. Each unicode string object then contains two shorts per language, the first defining the offset (as a string count) in the language block that the unicode object begins, and the second defining how many strings are in the object. This method allows the multiplayer maps to be identical for every version and region of Halo 2. The engine can simply detect you xbox language settings, and supply the correct string(s) form the language block. ==== 3.3 - Bitmaps & Textures ==== Bitmap objects are collections of the textures in Halo 2, and their layout is rather straightforward. Each texture is allowed up to six levels of detail. Each level of detail is identical to its predecessors first mipmap. So if the first quality level were 256x256, the following would be 128x128. Each level of detail however still contains its own entire set of mipmaps. I suspect this goes further towards Halo 2’s efficient use of memory management. Each bitmap object may also contain several images, usually used where options between similar sets of images are needed (such as multiple level images in the main menu.) These will be represented by the bitm struct reflexive. Each bitmap may be extracted as if it were its own object. Referencing the source to HME/HMT, we can find the different image formats for the different image objects. In addition to these types, 0x11 and 0x12 are both single channel images (you may extract them as A8 if using the common DDS), and are used for bump maps, and light maps (respectively.) Many images are still swizzled (a technique for faster memory copies), and this information may also be referenced from the HME/HMT sources. ==== 3.4 - Sounds ==== Sounds were probably the most enjoyable piece of Halo 2 to work on. They entwine with an “ugh!” object named “I’ve got a lovely bunch of coconuts”, a song done by the amazing comedic group Monty Python. I cannot help but believe this system was done as an easter egg designed just for me as “the curious modder”. To Bungie, I thank you (unless of course this was designed to keep us from removing sounds, in which case I sincerely apologize.) In each sound meta, there is an index and chunk count that references a block in the fifth reflexive in the coconuts object. This block has another index and chunk count, referencing the sixth reflexive in the coconuts object. These chunks reference “option” sounds, such as several different sound choices for entering a vehicle. Each item in the sixth block contains another index and chunk count, this time referencing the ninth reflexive in the coconuts object. The ninth reflexive contains the size and raw offset for each piece of the sound. Sounds in Halo 2 are xbox adpcm or WMA, depending on the type byte. The WMA sounds can be assembled completely from the raw data pieces. The xbox adpcm pieces require the header be written. If the type byte is 1, then the sound is an adpcm, mono, and 22050kbps sound file. Type 2 is also adpcm, stereo, and 44100kbps sound file. Type 3 is a WMA sound file. There is more to the sound formatting than this, however this was mare than enough for me to extract all the sounds. ==== 3.5 - Models ==== Models in Halo 2 use a compressed format based on a bounding box. This bounding box can be found in the first reflexive of the model meta. Using its constraints for each value relevant to the models, the uncompressed value can be found using the formula (((shortValue + 32768) / 65535) * (maxValue – minValue)) + minValue. The model raw data block now contains a header, footer, and several resource chunks. The header contains information regarding how many chunks are in each resource block, allowing you to determine which block contains the information needed (for example, if a given block has 0 chunks, then it will not have a corresponding resource block). The important resource blocks are the mesh information block (containing mesh information), the indices block (containing the indices for the triangle strip), the vertices block (containing at minimum 3 shorts defining the x, y, and z of the vertices), the UV map (containing the compressed UV points.), and the bone map. The third dword (as an unsigned integer) in each mesh information block defines how many indices are in that mesh. The indices are placed in order, so each meshes indices can be found after its predecessor in the indices resource block. The vertices are stored with several sized blocks within their resource block, however the x, y, and z points are still represented by the first 3 shorts respectively. The size of each vertex block can be determined by the type bytes in the model meta. Each short must then be decompressed using the above-mentioned formula and their own constraint value, min x and max x for x, and so on. If the given vertex type has more than 6 bytes, it is followed by the bone references and weights of this vertex. Both are one byte in length, and the bone references are sorted. Therefore if a bone with a value of 0 is read in any position other than the first, this bone reference should be discarded, as should all that follow. Following the bone references are their weights, which are also one byte in length, and can be considered compressed. The weights are a value between 0 an 1 once uncompressed, thus a byte with a weight of 128 will have a weight of 0.5 (or 50% deformation based on this bone.) The exception to this is the 8 byte vertices, where the two bytes following are both bones. If both are set, they each have a weight of 0.5, and if only one is set it is given full weight. The UV’s are slightly more complicated. They are compressed in the same fashion as the vertices. However, while UV’s must always remain between 0 and 1, their constraints are not governed by the same limits. The resulting uncompressed values can be fixed through “looping” them. If the value is 1.3, the resulting value would be 0.3, and given the value -0.3, the resulting value would be 0.7. The easiest way to accomplish this is to mod the resulting value by 1, and then if the value is negative, subtract it from 1. Since the bones have to act over several different pieces, each raw model block has a bone map, relating the bone byte to the correct bone id. This is a byte array, so if a vertex references bone 0, then boneMap[0] will provide the correct bone id. Back to the meta, the sixth reflexive in the model meta defines the bone hierarchy of the model. When parent, child, or sibling is none, the value will be set to 0xFFFF. These chunks are the bones which are mapped to from the raw data. The name is a script reference, and defines what the bone is called. The second reflexive defines all the level of details (LOD) for the model pieces. The name is again a script reference defining what this particular LOD is called. This is followed by a reflexive. This reflexive is for all the different options for the particular LOD (for example: base, default, damaged, etc.) Each of these reflexives consist of another script reference name, defining what this option is referred to as, followed by a series of 5 shorts. These shorts refer to the piece of the model which makes up one of the 5 LODs for this option. The last short (following the 5 LODs), defines the piece of the model which has the highest LOD (this should be equal to the 5th LOD value.) If a model only has 3 LODs, the first three LOD values will be the same, defining one piece to be used for all three levels. The seventh reflexive in the model meta defines a series of locations defining everything from where lights and other effects are located on a model, to where the characters place their hands while using the model. These are set by a script reference to link the point to, and the points location data. ==== 3.6 - Other Tags ==== For the most part, objects are quite similar to their Halo 1 counterparts. Usually there has been some general compacting of the data (the tags have been cleaned up, unused values removed), or a reflexive added here and there. Notable exceptions that I haven’t written about here (as lack of time and motivation kept me away) are the model animations, which now have large blocks of raw data. === 4 - In Closing === ==== 4.1 - Conclusion ==== In closing, I would like to say that not all the information enclosed here is guaranteed to be accurate. It is composed of my findings, and how I interpreted them at the time. Much of the structs are incomplete, as I tend to not write down things I figure out while seeking other answers, and I tried to only include solid information, instead of all my random notes. The information contained within these pages should be enough to get any one started, and take them to the point of being able to obtain any of the above items, and replace them with their own creations. I would like to thank all of you who read this far (and bothered reading this), and to you all, happy modding. ==== 4.2 - Acknowledgements ==== I would also once again like to thank MonoxideC and ViperNeo for their help in this. While they may remain modest, both were invaluable in explaining things I didn’t fully understand, bouncing ideas off, and just helping out anyway they could. The community is better for having them, and I better for knowing them. === 5 - Appendix I - Structures === <pre> struct mapHeader { char[4] head; int version; int filesize; int zero; int indexOffset; int metaStart; dword[2] unknown; char[32] mapOrigin; byte[224]unknown; char[32] build; byte[20] unknown; int unknown; int offsetToStrangeFileStrings; int unknown; int offsetToSomething; int scriptReferenceCount; int sizeOfScriptReference; int offsetToScriptReferenceIndex; int offsetToScriptReferenceStrings; byte[36] unknown; char[32] mapName; int zero; char[32] scenarioPath; byte[224] zero; int unknown; int fileCount; int fileTableOffset; int fileTableSize; int filesIndex; int signature; byte[1320] zero; char[4] foot; } struct indexHeader { int primaryMagicConstantMagic; int tagListCount; int objectIndexOffset; int scenarioID; int tagIDStart; int unknown; int objectCount; char[4] tags; } struct tagListEntry { char[4] objectClass; char[4] parentClass; char[4] grandparentClass; } struct objectEntry { char[4] tag; int ID; int offset; int metaSize; } struct unicMeta { uint[4] zero; short lang1Offset; short lang1Count; short lang2Offset; short lang2Count; short lang3Offset; short lang3Count; short lang4Offset; short lang4Count; short lang5Offset; short lang5Count; short lang6Offset; short lang6Count; short lang7Offset; short lang7Count; short lang8Offset; short lang8Count; short lang9Offset; short lang9Count; } struct bitmMeta { byte[68] data; struct image { char[4] bitm; ushort width; ushort height; ushort depth; ushort type; ushort format; ushort flags; ushort regPointX; ushort regPointY; ushort mipMapCount; ushort pixelOffset; uint zero; uint[6] offset; uint[6] size; uint identifier; byte[36] unknown; } } struct sndMeta { dword unknown; byte format; byte[3] unknown; short index; byte chunkCount; byte unknown; dword[2] unknown; } struct ughMeta { struct {} struct {} struct { scriptRef sound; } struct {} struct soundOptions { dword[2] unknown; short index; short chunkCount; } struct soundPieces { dword[3] unknown; short index; short chunkCount; } struct {} struct {} struct rawSound { uint rawOffset; uint size; uint eff; } struct {} struct {} } struct modeMeta { scriptRef modelName; dword val2; dword val3; dword zero; dword zero; struct boundingBox { float minX; float maxX; float minY; float maxY; float minZ; float maxZ; float minU; float maxU; float minV; float maxV; dword:4 zero; } struct LODs { scriptRef modelPiece; word sval1; // FFFF word sval2; // 0000 struct ref2.1 { scriptRef modelType; word LODPiece1; word LODPiece2; word LODPiece3; word LODPiece4; word LODPiece5; word LODPieceHigh; } } struct pieces { dword unknown; ushort vertCount; ushort unknown; byte[12] val1; ushort type; ushort unkown; dword val; dword[2] zero; dword[3] val; dword[2] zero; uint rawOffset; uint size; uint headerSize; dword val4; struct rsrc { word val; word val; word val; word val; uint size; uint offset; } dword identifier; dword val5; dword eff; } struct ref4 { dword zero; } struct ref5 { dword val1; dword:2 zero; } dword[3] zero; struct bones { scriptRef boneName ushort parent; ushort firstChild; ushort nextSibling; word val1; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float distanceFromParent; } dword[2] zero; struct points { scriptRef pointName; struct points { short; // 0xFFFF short; float[7] val; dword zero; } } struct shaders { dependancy shad; dependancy shad; dword:4 zero; } dword[7] zero; } struct modelHeader { char[4] blkh; uint size; uint informationChunks; uint zero; uint unkChunks; uint zero; uint unk2Chunks; uint[3] zero; uint indicesChunks; uint[5] zero; uint unk3Chunks; uint[10] zero; uint boneChunks; uint[2] zero; } </pre> 0f5c981fae19e4c938b53b5805de926495f34db7 5695 5694 2017-06-07T09:25:54Z JayFoxRox 2 /* 2.1 - Map Layout */ Added a bit more structure wikitext text/x-wiki {{Game}} == Map File Format (Iron_Forge whitepaper) == Retrieved from [http://old.halomods.com old.halomods.com]. Halo 2 .map file format whitepaper originally by Iron_Forge. Filename: H2WhitePaper.doc Created: 11/21/2004, 12:13:00, Iron_Forge. Revision: 0.9b === 1 - General Information === ==== 1.1 - Introduction ==== Greetings. My name is Iron_Forge, and I have been working on and off with Halo map files of one type or another for a little over a year now. I have remained active in all areas of map formatting of Halo 1 for the xbox as well as the pc. Odds are if you have used an application for Halo 1, I have had a hand in it, or the information that led to its conception. I have been working on the Halo 2 map format since its release, and this document serves as a collection of the information I have compiled with the help of good friends MonoxideC and ViperNeo. Applying my experience from Halo 1 and other projects, I am one of a handful of people who could be considered experts on the map file formats. Using this document, I hope to pass this on to you. Many things are not contained within this document, for the simple reason of I did not figure out how they work (the BSP is a good example.) That’s not to say these things are still unknown. ViperNeo had the BSP information completed the same time we were working on models together, due to the strong similarity between them. ==== 1.2 - Glossary ==== '''dword''' – 4 bytes of data (double word) '''word''' – 2 bytes of data '''primary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it. '''secondary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it, primarily used for meta. '''pure offset''' – A value which represents an offset in the file that has not been modified in any way '''raw offset''' – A pure offset whose 2 most significant bits represent the file the offset references '''primary magic offset''' – A pure offset whose value has been increased by the primary magic value '''secondary magic offset''' – A pure offset whose value has been increased by the secondary magic value === 2 - Map Information === ==== 2.1 - Map Layout ==== The Halo 2 map files can be broken up into the following sections: * header * sound raw data * model raw data * bsp model raw data * model animation raw data * bsp structure * script references * file names * unicode strings raw data * other * texture raw data * object index * index padding * object meta information * the cache (where applicable) ==== 2.2 - Processing ==== When Halo 2 is loaded, it will create cache files (copying the original files to the hard drive of the xbox). The shared and single player shared map files are exceptions to this rule, most likely to lower the load times of the game starting, and each map being processed. If your installation has valid bink video files, these will be played during load times, otherwise a progress text will appear on the screen showing the percentage copied. All loaded files are signed (see section on encryptomatic signature), and should a loading map fail, the engine will retry the copy twice more before giving a “dirty disk” error, or a “map failed to load” error, depending on the map. Upon loading a map, only the required resources are placed in memory. As objects appear on screen, the data for them is streamed from the shared files, replacing the very low copy kept in memory with a much richer and more detailed counterparts. This process allows even multiplayer maps to have access to several hundred megabytes of information, while remaining within the limitations of the xbox hardware. ==== 2.3 - Map Header ==== The map header1 is 2048 bytes just as previous versions of Halo. The version tag is now 8. The index offset is a pure offset pointing to the index header, followed by the meta start, which when added to the index offset will point to the beginning of the meta area. Map origin will define the path (and file) the cache was created from, and as such is only defined in the cache files. ===== 2.3.1 - File Table ===== The file table contains full paths for each object in relative order (first filename is for the first object.) The strings are standard ASCII, with a null termination and no padding is used regardless of where the string terminates. The file table index contains unsigned integers defining the offset which each string begins, also relative. This allows the file table to be read as a single block of characters, and each object to be issued a pointer to the beginning of its string. ===== 2.3.2 - Encryptomatic Signature ===== The encryptomatic signature is created by xoring every dword after the header together. It is my belief that this value has the single purpose of validating maps copied correctly, and was not used to “thwart” would be modders. ===== 2.3.3 - Script References ===== Script references link some object to a specific event. The string table defining these references is in the same format as the file table, including an index. They can often be found following dependencies such as effect dependencies. This would link that effect to be triggered by a given event, such as a button being pressed, or an item being picked up. The reference themselves consist of a pair of words, the first being the index to the string in the table, the second being the length of the script reference string. ==== 2.4 - Index Header ==== The first value in the index header remains the constant used to calculate magic. The object index offset here is a primary magic offset, and points to the object index. ===== 2.4.1 - Tag List ===== Directly following the index header is the tag list. This list contains all used tags in the map file, and defines their object hierarchy. This allows the engine to know for example, that all vehicles are a sub class of the unit class, which is a sub class of the object class. I believe the wildcard tags are used as a way of using the primary tag without its parents, though this is just speculation. ===== 2.4.2 - Object Index ===== The object index is a recursively-constructed collection defining all objects in the map. The objects identifier is defined here, which is used to reference the object from all other areas of the map file. The identifier is composed of two short values, each are incremented equally throughout the index. The meta offset is a secondary magic offset which points to the beginning of the objects meta. ===== 2.4.3 - Primary and Secondary Magic ===== The magic values are used to allow moving large blocks of data without having to modify the data itself. Using a magic value applied to all offsets, after moving the data x bytes, the magic only needs to be increased or decreased 8 to correct all offsets, rather than each offset needing re-calculation. Primary magic is still calculated by magic constant - (index header offset) + sizeof(index header)). Secondary magic, which is now used instead of primary magic for meta related offsets, is primary magic + sizeof(BSP). Since we cannot obtain the size of the BSP object without using secondary magic (it is located in the scenery tag), we use the known offset of the meta start and the secondary magic offset of the first object to calculate this value. === 3 - Objects === ==== 3.1 - Raw Offsets ==== Raw offsets in Halo 2 have no magic applied to them. However, they can reference the current map file, or the three shared files. To do this, it reserves the two most significant (highest) bits to define the referencing file. These are defined as: 002 being local file, 012 being mainmenu.map, 102 being shared.map, and 112 being single_player_shared.map. When referencing a raw offset, one should first determine the file being referenced, remove those two bits from the offset value (and with 0x3FFFFFFF), and then seek to that offset in the correct file to find the referenced data. Given the size of the shared files, it is possible that the third most significant bit is also reserved for sharing new downloadable content in the future, but this would just be speculation. ==== 3.2 - Unicode Strings ==== Unicode strings are built to allow for up to nine languages. The globals object defines where each language block is located, and its related information (size, string count, etc.) as needed. Each unicode string object then contains two shorts per language, the first defining the offset (as a string count) in the language block that the unicode object begins, and the second defining how many strings are in the object. This method allows the multiplayer maps to be identical for every version and region of Halo 2. The engine can simply detect you xbox language settings, and supply the correct string(s) form the language block. ==== 3.3 - Bitmaps & Textures ==== Bitmap objects are collections of the textures in Halo 2, and their layout is rather straightforward. Each texture is allowed up to six levels of detail. Each level of detail is identical to its predecessors first mipmap. So if the first quality level were 256x256, the following would be 128x128. Each level of detail however still contains its own entire set of mipmaps. I suspect this goes further towards Halo 2’s efficient use of memory management. Each bitmap object may also contain several images, usually used where options between similar sets of images are needed (such as multiple level images in the main menu.) These will be represented by the bitm struct reflexive. Each bitmap may be extracted as if it were its own object. Referencing the source to HME/HMT, we can find the different image formats for the different image objects. In addition to these types, 0x11 and 0x12 are both single channel images (you may extract them as A8 if using the common DDS), and are used for bump maps, and light maps (respectively.) Many images are still swizzled (a technique for faster memory copies), and this information may also be referenced from the HME/HMT sources. ==== 3.4 - Sounds ==== Sounds were probably the most enjoyable piece of Halo 2 to work on. They entwine with an “ugh!” object named “I’ve got a lovely bunch of coconuts”, a song done by the amazing comedic group Monty Python. I cannot help but believe this system was done as an easter egg designed just for me as “the curious modder”. To Bungie, I thank you (unless of course this was designed to keep us from removing sounds, in which case I sincerely apologize.) In each sound meta, there is an index and chunk count that references a block in the fifth reflexive in the coconuts object. This block has another index and chunk count, referencing the sixth reflexive in the coconuts object. These chunks reference “option” sounds, such as several different sound choices for entering a vehicle. Each item in the sixth block contains another index and chunk count, this time referencing the ninth reflexive in the coconuts object. The ninth reflexive contains the size and raw offset for each piece of the sound. Sounds in Halo 2 are xbox adpcm or WMA, depending on the type byte. The WMA sounds can be assembled completely from the raw data pieces. The xbox adpcm pieces require the header be written. If the type byte is 1, then the sound is an adpcm, mono, and 22050kbps sound file. Type 2 is also adpcm, stereo, and 44100kbps sound file. Type 3 is a WMA sound file. There is more to the sound formatting than this, however this was mare than enough for me to extract all the sounds. ==== 3.5 - Models ==== Models in Halo 2 use a compressed format based on a bounding box. This bounding box can be found in the first reflexive of the model meta. Using its constraints for each value relevant to the models, the uncompressed value can be found using the formula (((shortValue + 32768) / 65535) * (maxValue – minValue)) + minValue. The model raw data block now contains a header, footer, and several resource chunks. The header contains information regarding how many chunks are in each resource block, allowing you to determine which block contains the information needed (for example, if a given block has 0 chunks, then it will not have a corresponding resource block). The important resource blocks are the mesh information block (containing mesh information), the indices block (containing the indices for the triangle strip), the vertices block (containing at minimum 3 shorts defining the x, y, and z of the vertices), the UV map (containing the compressed UV points.), and the bone map. The third dword (as an unsigned integer) in each mesh information block defines how many indices are in that mesh. The indices are placed in order, so each meshes indices can be found after its predecessor in the indices resource block. The vertices are stored with several sized blocks within their resource block, however the x, y, and z points are still represented by the first 3 shorts respectively. The size of each vertex block can be determined by the type bytes in the model meta. Each short must then be decompressed using the above-mentioned formula and their own constraint value, min x and max x for x, and so on. If the given vertex type has more than 6 bytes, it is followed by the bone references and weights of this vertex. Both are one byte in length, and the bone references are sorted. Therefore if a bone with a value of 0 is read in any position other than the first, this bone reference should be discarded, as should all that follow. Following the bone references are their weights, which are also one byte in length, and can be considered compressed. The weights are a value between 0 an 1 once uncompressed, thus a byte with a weight of 128 will have a weight of 0.5 (or 50% deformation based on this bone.) The exception to this is the 8 byte vertices, where the two bytes following are both bones. If both are set, they each have a weight of 0.5, and if only one is set it is given full weight. The UV’s are slightly more complicated. They are compressed in the same fashion as the vertices. However, while UV’s must always remain between 0 and 1, their constraints are not governed by the same limits. The resulting uncompressed values can be fixed through “looping” them. If the value is 1.3, the resulting value would be 0.3, and given the value -0.3, the resulting value would be 0.7. The easiest way to accomplish this is to mod the resulting value by 1, and then if the value is negative, subtract it from 1. Since the bones have to act over several different pieces, each raw model block has a bone map, relating the bone byte to the correct bone id. This is a byte array, so if a vertex references bone 0, then boneMap[0] will provide the correct bone id. Back to the meta, the sixth reflexive in the model meta defines the bone hierarchy of the model. When parent, child, or sibling is none, the value will be set to 0xFFFF. These chunks are the bones which are mapped to from the raw data. The name is a script reference, and defines what the bone is called. The second reflexive defines all the level of details (LOD) for the model pieces. The name is again a script reference defining what this particular LOD is called. This is followed by a reflexive. This reflexive is for all the different options for the particular LOD (for example: base, default, damaged, etc.) Each of these reflexives consist of another script reference name, defining what this option is referred to as, followed by a series of 5 shorts. These shorts refer to the piece of the model which makes up one of the 5 LODs for this option. The last short (following the 5 LODs), defines the piece of the model which has the highest LOD (this should be equal to the 5th LOD value.) If a model only has 3 LODs, the first three LOD values will be the same, defining one piece to be used for all three levels. The seventh reflexive in the model meta defines a series of locations defining everything from where lights and other effects are located on a model, to where the characters place their hands while using the model. These are set by a script reference to link the point to, and the points location data. ==== 3.6 - Other Tags ==== For the most part, objects are quite similar to their Halo 1 counterparts. Usually there has been some general compacting of the data (the tags have been cleaned up, unused values removed), or a reflexive added here and there. Notable exceptions that I haven’t written about here (as lack of time and motivation kept me away) are the model animations, which now have large blocks of raw data. === 4 - In Closing === ==== 4.1 - Conclusion ==== In closing, I would like to say that not all the information enclosed here is guaranteed to be accurate. It is composed of my findings, and how I interpreted them at the time. Much of the structs are incomplete, as I tend to not write down things I figure out while seeking other answers, and I tried to only include solid information, instead of all my random notes. The information contained within these pages should be enough to get any one started, and take them to the point of being able to obtain any of the above items, and replace them with their own creations. I would like to thank all of you who read this far (and bothered reading this), and to you all, happy modding. ==== 4.2 - Acknowledgements ==== I would also once again like to thank MonoxideC and ViperNeo for their help in this. While they may remain modest, both were invaluable in explaining things I didn’t fully understand, bouncing ideas off, and just helping out anyway they could. The community is better for having them, and I better for knowing them. === 5 - Appendix I - Structures === <pre> struct mapHeader { char[4] head; int version; int filesize; int zero; int indexOffset; int metaStart; dword[2] unknown; char[32] mapOrigin; byte[224]unknown; char[32] build; byte[20] unknown; int unknown; int offsetToStrangeFileStrings; int unknown; int offsetToSomething; int scriptReferenceCount; int sizeOfScriptReference; int offsetToScriptReferenceIndex; int offsetToScriptReferenceStrings; byte[36] unknown; char[32] mapName; int zero; char[32] scenarioPath; byte[224] zero; int unknown; int fileCount; int fileTableOffset; int fileTableSize; int filesIndex; int signature; byte[1320] zero; char[4] foot; } struct indexHeader { int primaryMagicConstantMagic; int tagListCount; int objectIndexOffset; int scenarioID; int tagIDStart; int unknown; int objectCount; char[4] tags; } struct tagListEntry { char[4] objectClass; char[4] parentClass; char[4] grandparentClass; } struct objectEntry { char[4] tag; int ID; int offset; int metaSize; } struct unicMeta { uint[4] zero; short lang1Offset; short lang1Count; short lang2Offset; short lang2Count; short lang3Offset; short lang3Count; short lang4Offset; short lang4Count; short lang5Offset; short lang5Count; short lang6Offset; short lang6Count; short lang7Offset; short lang7Count; short lang8Offset; short lang8Count; short lang9Offset; short lang9Count; } struct bitmMeta { byte[68] data; struct image { char[4] bitm; ushort width; ushort height; ushort depth; ushort type; ushort format; ushort flags; ushort regPointX; ushort regPointY; ushort mipMapCount; ushort pixelOffset; uint zero; uint[6] offset; uint[6] size; uint identifier; byte[36] unknown; } } struct sndMeta { dword unknown; byte format; byte[3] unknown; short index; byte chunkCount; byte unknown; dword[2] unknown; } struct ughMeta { struct {} struct {} struct { scriptRef sound; } struct {} struct soundOptions { dword[2] unknown; short index; short chunkCount; } struct soundPieces { dword[3] unknown; short index; short chunkCount; } struct {} struct {} struct rawSound { uint rawOffset; uint size; uint eff; } struct {} struct {} } struct modeMeta { scriptRef modelName; dword val2; dword val3; dword zero; dword zero; struct boundingBox { float minX; float maxX; float minY; float maxY; float minZ; float maxZ; float minU; float maxU; float minV; float maxV; dword:4 zero; } struct LODs { scriptRef modelPiece; word sval1; // FFFF word sval2; // 0000 struct ref2.1 { scriptRef modelType; word LODPiece1; word LODPiece2; word LODPiece3; word LODPiece4; word LODPiece5; word LODPieceHigh; } } struct pieces { dword unknown; ushort vertCount; ushort unknown; byte[12] val1; ushort type; ushort unkown; dword val; dword[2] zero; dword[3] val; dword[2] zero; uint rawOffset; uint size; uint headerSize; dword val4; struct rsrc { word val; word val; word val; word val; uint size; uint offset; } dword identifier; dword val5; dword eff; } struct ref4 { dword zero; } struct ref5 { dword val1; dword:2 zero; } dword[3] zero; struct bones { scriptRef boneName ushort parent; ushort firstChild; ushort nextSibling; word val1; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float distanceFromParent; } dword[2] zero; struct points { scriptRef pointName; struct points { short; // 0xFFFF short; float[7] val; dword zero; } } struct shaders { dependancy shad; dependancy shad; dword:4 zero; } dword[7] zero; } struct modelHeader { char[4] blkh; uint size; uint informationChunks; uint zero; uint unkChunks; uint zero; uint unk2Chunks; uint[3] zero; uint indicesChunks; uint[5] zero; uint unk3Chunks; uint[10] zero; uint boneChunks; uint[2] zero; } </pre> 2dacd3d9287b6f411c7adfd0588cc1ea4a959797 5696 5695 2017-06-07T09:26:32Z JayFoxRox 2 /* 1.2 - Glossary */ wikitext text/x-wiki {{Game}} == Map File Format (Iron_Forge whitepaper) == Retrieved from [http://old.halomods.com old.halomods.com]. Halo 2 .map file format whitepaper originally by Iron_Forge. Filename: H2WhitePaper.doc Created: 11/21/2004, 12:13:00, Iron_Forge. Revision: 0.9b === 1 - General Information === ==== 1.1 - Introduction ==== Greetings. My name is Iron_Forge, and I have been working on and off with Halo map files of one type or another for a little over a year now. I have remained active in all areas of map formatting of Halo 1 for the xbox as well as the pc. Odds are if you have used an application for Halo 1, I have had a hand in it, or the information that led to its conception. I have been working on the Halo 2 map format since its release, and this document serves as a collection of the information I have compiled with the help of good friends MonoxideC and ViperNeo. Applying my experience from Halo 1 and other projects, I am one of a handful of people who could be considered experts on the map file formats. Using this document, I hope to pass this on to you. Many things are not contained within this document, for the simple reason of I did not figure out how they work (the BSP is a good example.) That’s not to say these things are still unknown. ViperNeo had the BSP information completed the same time we were working on models together, due to the strong similarity between them. ==== 1.2 - Glossary ==== * '''dword''' – 4 bytes of data (double word) * '''word''' – 2 bytes of data * '''primary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it. * '''secondary magic''' – A value used to increase offsets, allowing large areas of data to be moved without modifying the offsets contained within it, primarily used for meta. * '''pure offset''' – A value which represents an offset in the file that has not been modified in any way * '''raw offset''' – A pure offset whose 2 most significant bits represent the file the offset references * '''primary magic offset''' – A pure offset whose value has been increased by the primary magic value * '''secondary magic offset''' – A pure offset whose value has been increased by the secondary magic value === 2 - Map Information === ==== 2.1 - Map Layout ==== The Halo 2 map files can be broken up into the following sections: * header * sound raw data * model raw data * bsp model raw data * model animation raw data * bsp structure * script references * file names * unicode strings raw data * other * texture raw data * object index * index padding * object meta information * the cache (where applicable) ==== 2.2 - Processing ==== When Halo 2 is loaded, it will create cache files (copying the original files to the hard drive of the xbox). The shared and single player shared map files are exceptions to this rule, most likely to lower the load times of the game starting, and each map being processed. If your installation has valid bink video files, these will be played during load times, otherwise a progress text will appear on the screen showing the percentage copied. All loaded files are signed (see section on encryptomatic signature), and should a loading map fail, the engine will retry the copy twice more before giving a “dirty disk” error, or a “map failed to load” error, depending on the map. Upon loading a map, only the required resources are placed in memory. As objects appear on screen, the data for them is streamed from the shared files, replacing the very low copy kept in memory with a much richer and more detailed counterparts. This process allows even multiplayer maps to have access to several hundred megabytes of information, while remaining within the limitations of the xbox hardware. ==== 2.3 - Map Header ==== The map header1 is 2048 bytes just as previous versions of Halo. The version tag is now 8. The index offset is a pure offset pointing to the index header, followed by the meta start, which when added to the index offset will point to the beginning of the meta area. Map origin will define the path (and file) the cache was created from, and as such is only defined in the cache files. ===== 2.3.1 - File Table ===== The file table contains full paths for each object in relative order (first filename is for the first object.) The strings are standard ASCII, with a null termination and no padding is used regardless of where the string terminates. The file table index contains unsigned integers defining the offset which each string begins, also relative. This allows the file table to be read as a single block of characters, and each object to be issued a pointer to the beginning of its string. ===== 2.3.2 - Encryptomatic Signature ===== The encryptomatic signature is created by xoring every dword after the header together. It is my belief that this value has the single purpose of validating maps copied correctly, and was not used to “thwart” would be modders. ===== 2.3.3 - Script References ===== Script references link some object to a specific event. The string table defining these references is in the same format as the file table, including an index. They can often be found following dependencies such as effect dependencies. This would link that effect to be triggered by a given event, such as a button being pressed, or an item being picked up. The reference themselves consist of a pair of words, the first being the index to the string in the table, the second being the length of the script reference string. ==== 2.4 - Index Header ==== The first value in the index header remains the constant used to calculate magic. The object index offset here is a primary magic offset, and points to the object index. ===== 2.4.1 - Tag List ===== Directly following the index header is the tag list. This list contains all used tags in the map file, and defines their object hierarchy. This allows the engine to know for example, that all vehicles are a sub class of the unit class, which is a sub class of the object class. I believe the wildcard tags are used as a way of using the primary tag without its parents, though this is just speculation. ===== 2.4.2 - Object Index ===== The object index is a recursively-constructed collection defining all objects in the map. The objects identifier is defined here, which is used to reference the object from all other areas of the map file. The identifier is composed of two short values, each are incremented equally throughout the index. The meta offset is a secondary magic offset which points to the beginning of the objects meta. ===== 2.4.3 - Primary and Secondary Magic ===== The magic values are used to allow moving large blocks of data without having to modify the data itself. Using a magic value applied to all offsets, after moving the data x bytes, the magic only needs to be increased or decreased 8 to correct all offsets, rather than each offset needing re-calculation. Primary magic is still calculated by magic constant - (index header offset) + sizeof(index header)). Secondary magic, which is now used instead of primary magic for meta related offsets, is primary magic + sizeof(BSP). Since we cannot obtain the size of the BSP object without using secondary magic (it is located in the scenery tag), we use the known offset of the meta start and the secondary magic offset of the first object to calculate this value. === 3 - Objects === ==== 3.1 - Raw Offsets ==== Raw offsets in Halo 2 have no magic applied to them. However, they can reference the current map file, or the three shared files. To do this, it reserves the two most significant (highest) bits to define the referencing file. These are defined as: 002 being local file, 012 being mainmenu.map, 102 being shared.map, and 112 being single_player_shared.map. When referencing a raw offset, one should first determine the file being referenced, remove those two bits from the offset value (and with 0x3FFFFFFF), and then seek to that offset in the correct file to find the referenced data. Given the size of the shared files, it is possible that the third most significant bit is also reserved for sharing new downloadable content in the future, but this would just be speculation. ==== 3.2 - Unicode Strings ==== Unicode strings are built to allow for up to nine languages. The globals object defines where each language block is located, and its related information (size, string count, etc.) as needed. Each unicode string object then contains two shorts per language, the first defining the offset (as a string count) in the language block that the unicode object begins, and the second defining how many strings are in the object. This method allows the multiplayer maps to be identical for every version and region of Halo 2. The engine can simply detect you xbox language settings, and supply the correct string(s) form the language block. ==== 3.3 - Bitmaps & Textures ==== Bitmap objects are collections of the textures in Halo 2, and their layout is rather straightforward. Each texture is allowed up to six levels of detail. Each level of detail is identical to its predecessors first mipmap. So if the first quality level were 256x256, the following would be 128x128. Each level of detail however still contains its own entire set of mipmaps. I suspect this goes further towards Halo 2’s efficient use of memory management. Each bitmap object may also contain several images, usually used where options between similar sets of images are needed (such as multiple level images in the main menu.) These will be represented by the bitm struct reflexive. Each bitmap may be extracted as if it were its own object. Referencing the source to HME/HMT, we can find the different image formats for the different image objects. In addition to these types, 0x11 and 0x12 are both single channel images (you may extract them as A8 if using the common DDS), and are used for bump maps, and light maps (respectively.) Many images are still swizzled (a technique for faster memory copies), and this information may also be referenced from the HME/HMT sources. ==== 3.4 - Sounds ==== Sounds were probably the most enjoyable piece of Halo 2 to work on. They entwine with an “ugh!” object named “I’ve got a lovely bunch of coconuts”, a song done by the amazing comedic group Monty Python. I cannot help but believe this system was done as an easter egg designed just for me as “the curious modder”. To Bungie, I thank you (unless of course this was designed to keep us from removing sounds, in which case I sincerely apologize.) In each sound meta, there is an index and chunk count that references a block in the fifth reflexive in the coconuts object. This block has another index and chunk count, referencing the sixth reflexive in the coconuts object. These chunks reference “option” sounds, such as several different sound choices for entering a vehicle. Each item in the sixth block contains another index and chunk count, this time referencing the ninth reflexive in the coconuts object. The ninth reflexive contains the size and raw offset for each piece of the sound. Sounds in Halo 2 are xbox adpcm or WMA, depending on the type byte. The WMA sounds can be assembled completely from the raw data pieces. The xbox adpcm pieces require the header be written. If the type byte is 1, then the sound is an adpcm, mono, and 22050kbps sound file. Type 2 is also adpcm, stereo, and 44100kbps sound file. Type 3 is a WMA sound file. There is more to the sound formatting than this, however this was mare than enough for me to extract all the sounds. ==== 3.5 - Models ==== Models in Halo 2 use a compressed format based on a bounding box. This bounding box can be found in the first reflexive of the model meta. Using its constraints for each value relevant to the models, the uncompressed value can be found using the formula (((shortValue + 32768) / 65535) * (maxValue – minValue)) + minValue. The model raw data block now contains a header, footer, and several resource chunks. The header contains information regarding how many chunks are in each resource block, allowing you to determine which block contains the information needed (for example, if a given block has 0 chunks, then it will not have a corresponding resource block). The important resource blocks are the mesh information block (containing mesh information), the indices block (containing the indices for the triangle strip), the vertices block (containing at minimum 3 shorts defining the x, y, and z of the vertices), the UV map (containing the compressed UV points.), and the bone map. The third dword (as an unsigned integer) in each mesh information block defines how many indices are in that mesh. The indices are placed in order, so each meshes indices can be found after its predecessor in the indices resource block. The vertices are stored with several sized blocks within their resource block, however the x, y, and z points are still represented by the first 3 shorts respectively. The size of each vertex block can be determined by the type bytes in the model meta. Each short must then be decompressed using the above-mentioned formula and their own constraint value, min x and max x for x, and so on. If the given vertex type has more than 6 bytes, it is followed by the bone references and weights of this vertex. Both are one byte in length, and the bone references are sorted. Therefore if a bone with a value of 0 is read in any position other than the first, this bone reference should be discarded, as should all that follow. Following the bone references are their weights, which are also one byte in length, and can be considered compressed. The weights are a value between 0 an 1 once uncompressed, thus a byte with a weight of 128 will have a weight of 0.5 (or 50% deformation based on this bone.) The exception to this is the 8 byte vertices, where the two bytes following are both bones. If both are set, they each have a weight of 0.5, and if only one is set it is given full weight. The UV’s are slightly more complicated. They are compressed in the same fashion as the vertices. However, while UV’s must always remain between 0 and 1, their constraints are not governed by the same limits. The resulting uncompressed values can be fixed through “looping” them. If the value is 1.3, the resulting value would be 0.3, and given the value -0.3, the resulting value would be 0.7. The easiest way to accomplish this is to mod the resulting value by 1, and then if the value is negative, subtract it from 1. Since the bones have to act over several different pieces, each raw model block has a bone map, relating the bone byte to the correct bone id. This is a byte array, so if a vertex references bone 0, then boneMap[0] will provide the correct bone id. Back to the meta, the sixth reflexive in the model meta defines the bone hierarchy of the model. When parent, child, or sibling is none, the value will be set to 0xFFFF. These chunks are the bones which are mapped to from the raw data. The name is a script reference, and defines what the bone is called. The second reflexive defines all the level of details (LOD) for the model pieces. The name is again a script reference defining what this particular LOD is called. This is followed by a reflexive. This reflexive is for all the different options for the particular LOD (for example: base, default, damaged, etc.) Each of these reflexives consist of another script reference name, defining what this option is referred to as, followed by a series of 5 shorts. These shorts refer to the piece of the model which makes up one of the 5 LODs for this option. The last short (following the 5 LODs), defines the piece of the model which has the highest LOD (this should be equal to the 5th LOD value.) If a model only has 3 LODs, the first three LOD values will be the same, defining one piece to be used for all three levels. The seventh reflexive in the model meta defines a series of locations defining everything from where lights and other effects are located on a model, to where the characters place their hands while using the model. These are set by a script reference to link the point to, and the points location data. ==== 3.6 - Other Tags ==== For the most part, objects are quite similar to their Halo 1 counterparts. Usually there has been some general compacting of the data (the tags have been cleaned up, unused values removed), or a reflexive added here and there. Notable exceptions that I haven’t written about here (as lack of time and motivation kept me away) are the model animations, which now have large blocks of raw data. === 4 - In Closing === ==== 4.1 - Conclusion ==== In closing, I would like to say that not all the information enclosed here is guaranteed to be accurate. It is composed of my findings, and how I interpreted them at the time. Much of the structs are incomplete, as I tend to not write down things I figure out while seeking other answers, and I tried to only include solid information, instead of all my random notes. The information contained within these pages should be enough to get any one started, and take them to the point of being able to obtain any of the above items, and replace them with their own creations. I would like to thank all of you who read this far (and bothered reading this), and to you all, happy modding. ==== 4.2 - Acknowledgements ==== I would also once again like to thank MonoxideC and ViperNeo for their help in this. While they may remain modest, both were invaluable in explaining things I didn’t fully understand, bouncing ideas off, and just helping out anyway they could. The community is better for having them, and I better for knowing them. === 5 - Appendix I - Structures === <pre> struct mapHeader { char[4] head; int version; int filesize; int zero; int indexOffset; int metaStart; dword[2] unknown; char[32] mapOrigin; byte[224]unknown; char[32] build; byte[20] unknown; int unknown; int offsetToStrangeFileStrings; int unknown; int offsetToSomething; int scriptReferenceCount; int sizeOfScriptReference; int offsetToScriptReferenceIndex; int offsetToScriptReferenceStrings; byte[36] unknown; char[32] mapName; int zero; char[32] scenarioPath; byte[224] zero; int unknown; int fileCount; int fileTableOffset; int fileTableSize; int filesIndex; int signature; byte[1320] zero; char[4] foot; } struct indexHeader { int primaryMagicConstantMagic; int tagListCount; int objectIndexOffset; int scenarioID; int tagIDStart; int unknown; int objectCount; char[4] tags; } struct tagListEntry { char[4] objectClass; char[4] parentClass; char[4] grandparentClass; } struct objectEntry { char[4] tag; int ID; int offset; int metaSize; } struct unicMeta { uint[4] zero; short lang1Offset; short lang1Count; short lang2Offset; short lang2Count; short lang3Offset; short lang3Count; short lang4Offset; short lang4Count; short lang5Offset; short lang5Count; short lang6Offset; short lang6Count; short lang7Offset; short lang7Count; short lang8Offset; short lang8Count; short lang9Offset; short lang9Count; } struct bitmMeta { byte[68] data; struct image { char[4] bitm; ushort width; ushort height; ushort depth; ushort type; ushort format; ushort flags; ushort regPointX; ushort regPointY; ushort mipMapCount; ushort pixelOffset; uint zero; uint[6] offset; uint[6] size; uint identifier; byte[36] unknown; } } struct sndMeta { dword unknown; byte format; byte[3] unknown; short index; byte chunkCount; byte unknown; dword[2] unknown; } struct ughMeta { struct {} struct {} struct { scriptRef sound; } struct {} struct soundOptions { dword[2] unknown; short index; short chunkCount; } struct soundPieces { dword[3] unknown; short index; short chunkCount; } struct {} struct {} struct rawSound { uint rawOffset; uint size; uint eff; } struct {} struct {} } struct modeMeta { scriptRef modelName; dword val2; dword val3; dword zero; dword zero; struct boundingBox { float minX; float maxX; float minY; float maxY; float minZ; float maxZ; float minU; float maxU; float minV; float maxV; dword:4 zero; } struct LODs { scriptRef modelPiece; word sval1; // FFFF word sval2; // 0000 struct ref2.1 { scriptRef modelType; word LODPiece1; word LODPiece2; word LODPiece3; word LODPiece4; word LODPiece5; word LODPieceHigh; } } struct pieces { dword unknown; ushort vertCount; ushort unknown; byte[12] val1; ushort type; ushort unkown; dword val; dword[2] zero; dword[3] val; dword[2] zero; uint rawOffset; uint size; uint headerSize; dword val4; struct rsrc { word val; word val; word val; word val; uint size; uint offset; } dword identifier; dword val5; dword eff; } struct ref4 { dword zero; } struct ref5 { dword val1; dword:2 zero; } dword[3] zero; struct bones { scriptRef boneName ushort parent; ushort firstChild; ushort nextSibling; word val1; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float; float distanceFromParent; } dword[2] zero; struct points { scriptRef pointName; struct points { short; // 0xFFFF short; float[7] val; dword zero; } } struct shaders { dependancy shad; dependancy shad; dword:4 zero; } dword[7] zero; } struct modelHeader { char[4] blkh; uint size; uint informationChunks; uint zero; uint unkChunks; uint zero; uint unk2Chunks; uint[3] zero; uint indicesChunks; uint[5] zero; uint unk3Chunks; uint[10] zero; uint boneChunks; uint[2] zero; } </pre> 60612a05edca684bdc165edb7ec42f62b4824b9b 0 11 5697 5164 2017-06-07T10:07:32Z JayFoxRox 2 /* Steering wheels */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Internal HUB ==== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> Note that the cable going to the pedals is *not* a USB port despite using the Xbox controller breakout plug. A another Xbox controller connected to the cable coming out of the steering wheel (intended for the pedals) will not be recognized. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Steering wheel and Pedals ==== Always connected to port 1 of the internal HUB <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 9107be882d45d2fddc08c7dcac373423f51aac27 5698 5697 2017-06-07T10:34:32Z JayFoxRox 2 /* Internal HUB */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel and Pedals ==== Always connected to port 1 of the internal HUB <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} fb46d811e9f6af92a1194acaaa54928c7cbe1976 5699 5698 2017-06-07T10:35:09Z JayFoxRox 2 /* Steering wheel and Pedals */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel and Pedals ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} ed67b9811938a21019b284a2bd7b186c19482f73 5700 5699 2017-06-07T10:35:23Z JayFoxRox 2 /* Steering wheel and Pedals */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 5144debe60ad5dfbfffb886754f3964a8a584097 5701 5700 2017-06-07T10:37:58Z JayFoxRox 2 /* Light guns */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS Topgun II === ''This is a non-licensed / unofficial Xbox accessory.'' ==== USB Descriptors ==== {{FIXME}} == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} d451bcba32cf819e28b568d5e17b8da8f669b21a 5710 5701 2017-06-13T19:38:02Z JayFoxRox 2 /* EMS Topgun II */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS Topgun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || A || rowspan="4" | Digital only, either 0 or 255 |- | Grip || B |- | A || X |- | B || Y |- | START || Start || |- | SE/BA || Back || |- | Aim Left / Right || Negative / Positive on left thumbstick X axis || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || Positive / Negative on left thumbstick Y axis |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps A pressed while trigger is held * Turbo mode 1 toggles A rapidly while trigger is held * Turbo mode 2 toggles A rapidly and once in a while B while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 653d02a117996b91a11e28af58961ed99d341902 5711 5710 2017-06-13T19:38:18Z JayFoxRox 2 /* EMS Topgun II */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || A || rowspan="4" | Digital only, either 0 or 255 |- | Grip || B |- | A || X |- | B || Y |- | START || Start || |- | SE/BA || Back || |- | Aim Left / Right || Negative / Positive on left thumbstick X axis || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || Positive / Negative on left thumbstick Y axis |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps A pressed while trigger is held * Turbo mode 1 toggles A rapidly while trigger is held * Turbo mode 2 toggles A rapidly and once in a while B while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} bafb0a5f562cd969c518cefc297d177a985eeaa7 5712 5711 2017-06-13T19:54:23Z JayFoxRox 2 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B0169BOTDC Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || A || rowspan="4" | Digital only, either 0 or 255 |- | Grip || B |- | A || X |- | B || Y |- | START || Start || |- | SE/BA || Back || |- | Aim Left / Right || Negative / Positive on left thumbstick X axis || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || Positive / Negative on left thumbstick Y axis |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps A pressed while trigger is held * Turbo mode 1 toggles A rapidly while trigger is held * Turbo mode 2 toggles A rapidly and once in a while B while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 918c69ff3989f3a82a08ad07721e274ef9837216 0 3790 5702 5652 2017-06-09T15:31:25Z Codeasm 2480 Added unlicensed memory cards wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. <pre> VID:0x045e PID:0x0280 Microsoft Corp. Xbox Memory Unit (8MB) </pre> == thirdparty USB sticks == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Notes |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || Green logo "Trustmaster" |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Notes |- |} f87a4d3f9f223a3cd42446901f4a2225dc62831b 5703 5702 2017-06-09T15:33:31Z Codeasm 2480 /* thirdparty USB sticks */ wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. <pre> VID:0x045e PID:0x0280 Microsoft Corp. Xbox Memory Unit (8MB) </pre> == thirdparty USB sticks == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Notes |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || Green logo Xbox and white "Trustmaster" |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Notes |- |} f2bb7bc8881c084eafa61906ddac7ea89eeaeb0a 5704 5703 2017-06-09T15:48:42Z Codeasm 2480 /* thirdparty USB sticks */ Trustmaster is licenced wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. <pre> VID:0x045e PID:0x0280 Microsoft Corp. Xbox Memory Unit (8MB) </pre> == thirdparty USB sticks == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Notes |- |} a908e11a3ce7bdf5d39ca029efbdaff574ce555f 5705 5704 2017-06-09T15:49:41Z Codeasm 2480 Trustmaster one is licenced wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || Green logo Xbox and white "Trustmaster |} == thirdparty USB sticks == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Notes |- |} e2c3d220138d5b3da0a27daf95d4d30b86aac52c 5706 5705 2017-06-09T20:31:52Z JayFoxRox 2 /* thirdparty USB sticks */ wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Notes |- |} 80340108bf0b2bf619d385f3c3d5e0c24bc63b96 5728 5706 2017-06-19T13:10:03Z Codeasm 2480 Added image references wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Notes |- |} == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] e522a4511192d4069eb3dfa0cec7c1c16c5b5dbf 0 3796 5707 2017-06-10T21:39:34Z Haxar 2485 Redirected page to [[NV2A]] wikitext text/x-wiki #REDIRECT [[NV2A]] c73cc7c29deafe205bc229258fdb2ac3cbc2f25b 0 3674 5708 5635 2017-06-10T22:00:36Z Haxar 2485 Hardware Registers wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. On Debug Xboxs and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFE000000 |- |APU Registers |colspan="2"|0xFE800000 - 0xFE880000 |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC01000 |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED01000 |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED09000 |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF00400 |- |[[Flash]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 12f534bf685af7449ba0ca30a5a970fff6d5f534 5709 5708 2017-06-10T22:09:36Z Haxar 2485 Table centered. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. On Debug Xboxs and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFE000000 |- |APU Registers |colspan="2"|0xFE800000 - 0xFE880000 |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC01000 |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED01000 |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED09000 |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF00400 |- |[[Flash]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> e982be14183eeb8a343bbb108b96a00980c40b42 0 3703 5713 5489 2017-06-15T10:21:54Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |HLE |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |Unknown |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] | |daeken |Unknown | | |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |Dead |Unknown |{{No}} |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |LLE/HLE Hybrid |{{No}} |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |- |Maintained |LLE/HLE Hybrid{{citation needed}} |{{No}} |[[Xbox One Backward Compatibility]] |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] ffdd5fe2859034739498940e79bd77a42f4c2669 0 3700 5714 5680 2017-06-18T15:06:26Z JayFoxRox 2 /* Disc Manufacturing Information (DMI.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [Xbe#Title_ID] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== 2048 Bytes Read from the Lead-In. READ DVD STRUCTURE with format 0x00 ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 619170f817405cccf3c0d9cd7871b336133f89f6 5715 5714 2017-06-18T15:22:54Z JayFoxRox 2 Moved from PDF, very unhappy with formatting, hopefully we'll have this differently in the future wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [Xbe#Title_ID] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 19eabc0673fffe0bc8fea0e79184ed53900bda6b 5716 5715 2017-06-18T15:28:31Z JayFoxRox 2 Somehow the old text made it sound like one has to do some hex/ASCII stuff etc. - however, my experiments show that it's just the first 7 bytes which are used.. wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [Xbe#Title_ID] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 02b7506aa230bf28bf40eb1f32f35ec69ad7fcd3 5717 5716 2017-06-18T18:51:45Z JayFoxRox 2 Fixed internal link wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 90a1a6fd011a72e6057433a4741585a5b0afd098 0 3678 5719 5629 2017-06-18T21:48:20Z Haxar 2485 Kernel Variables wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described [[Boot_Process#Initialization|here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 | |Variable: OBJECT_TYPE |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 | |Variable: OBJECT_TYPE |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 | |Variable: OBJECT_TYPE |- |[[Kernel/ExTimerObjectType]] |31 | |Variable: OBJECT_TYPE |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 | |Variable: ULONG |- |[[Kernel/HalDiskModelNumber]] |41 | |Variable: STRING |- |[[Kernel/HalDiskSerialNumber]] |42 | |Variable: STRING |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 | |Variable: OBJECT_TYPE |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFileObjectType]] |71 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 | |Variable: BOOLEAN |- |[[Kernel/KdDebuggerNotPresent]] |89 | |Variable: BOOLEAN |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 | |Variable: MMGLOBALDATA |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 | |Variable: ULONG |- |[[Kernel/KeTimeIncrement]] |157 | |Variable: ULONG |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 | |Variable: ULONG_PTR[5] |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 | |Variable: PLAUNCH_DATA_PAGE |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 | |Variable: OBJECT_TYPE |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 | |Variable: OBJECT_HANDLE_TABLE |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 | |Variable: OBJECT_TYPE |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 | |Variable: OBJECT_TYPE |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxHardwareInfo]] |322 | |Variable: XBOX_HARDWARE_INFO |- |[[Kernel/XboxHDKey]] |323 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxKrnlVersion]] |324 | |Variable: XBOX_KRNL_VERSION |- |[[Kernel/XboxSignatureKey]] |325 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XeImageFileName]] |326 | |Variable: OBJECT_STRING |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 |stdcall | |- |[[Kernel/XboxAlternateSignatureKeys]] |354 | |Variable: XBOX_KEY_DATA[XBEIMAGE_ALTERNATE_TITLE_ID_COUNT] |- |[[Kernel/XePublicKeyData]] |355 | |Variable: UCHAR[XC_PUBLIC_KEYDATA_SIZE] |- |[[Kernel/HalBootSMCVideoMode]] |356 | |Variable: ULONG |- |[[Kernel/IdexChannelObject]] |357 | |Variable: IDE_CHANNEL_OBJECT |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 00f03c0aed79d1ecbb71e20c0b59a07283285449 5726 5719 2017-06-19T02:23:20Z Haxar 2485 Kernel/XboxLANKey wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described [[Boot_Process#Initialization|here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 | |Variable: OBJECT_TYPE |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 | |Variable: OBJECT_TYPE |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 | |Variable: OBJECT_TYPE |- |[[Kernel/ExTimerObjectType]] |31 | |Variable: OBJECT_TYPE |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 | |Variable: ULONG |- |[[Kernel/HalDiskModelNumber]] |41 | |Variable: STRING |- |[[Kernel/HalDiskSerialNumber]] |42 | |Variable: STRING |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 | |Variable: OBJECT_TYPE |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFileObjectType]] |71 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 | |Variable: BOOLEAN |- |[[Kernel/KdDebuggerNotPresent]] |89 | |Variable: BOOLEAN |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 | |Variable: MMGLOBALDATA |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 | |Variable: ULONG |- |[[Kernel/KeTimeIncrement]] |157 | |Variable: ULONG |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 | |Variable: ULONG_PTR[5] |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 | |Variable: PLAUNCH_DATA_PAGE |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 | |Variable: OBJECT_TYPE |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 | |Variable: OBJECT_HANDLE_TABLE |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 | |Variable: OBJECT_TYPE |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 | |Variable: OBJECT_TYPE |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxHardwareInfo]] |322 | |Variable: XBOX_HARDWARE_INFO |- |[[Kernel/XboxHDKey]] |323 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxKrnlVersion]] |324 | |Variable: XBOX_KRNL_VERSION |- |[[Kernel/XboxSignatureKey]] |325 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XeImageFileName]] |326 | |Variable: OBJECT_STRING |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxAlternateSignatureKeys]] |354 | |Variable: XBOX_KEY_DATA[XBEIMAGE_ALTERNATE_TITLE_ID_COUNT] |- |[[Kernel/XePublicKeyData]] |355 | |Variable: UCHAR[XC_PUBLIC_KEYDATA_SIZE] |- |[[Kernel/HalBootSMCVideoMode]] |356 | |Variable: ULONG |- |[[Kernel/IdexChannelObject]] |357 | |Variable: IDE_CHANNEL_OBJECT |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 1da2e202652bb0a93a1ab332725153d2eb92888e 0 3672 5722 5642 2017-06-18T22:30:43Z JayFoxRox 2 /* Components */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | || || || || || || || |- ! Kernel Data Segment | || || || || || || || |- ! 2BL | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL (Start & Entry point) | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! FBL (End, exclusive) | || || || 0x3FC80 || 0x3FC80 || 0x3FC80 || 0x3FC80 || 0x3FC80 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 0c960d3b28e3a3cd22effa9bbb7f488a0a6cd341 5723 5722 2017-06-18T23:55:28Z JayFoxRox 2 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x000000079 Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 9f342fbf34f66d8d0976d06f0d2eb75e29fd8b4b 1 3797 5724 2017-06-19T00:33:42Z JayFoxRox 2 /* Move to XBE article */ new section wikitext text/x-wiki == Move to XBE article == A lot of the signing details should be moved to the XBE article / page The information is not related to the XboxSignatureKey variable. f4853187f4c7e6bc55ff587ecea28f0aa8048dcb 5725 5724 2017-06-19T00:33:54Z JayFoxRox 2 Forgot signature wikitext text/x-wiki == Move to XBE article == A lot of the signing details should be moved to the XBE article / page The information is not related to the XboxSignatureKey variable. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 17:33, 18 June 2017 (PDT) bb5c45ab5de1e5ff5646e83006c79b9c86e77540 0 3670 5727 5510 2017-06-19T10:45:22Z JayFoxRox 2 /* MCPX 1.1 */ wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. For 1.1 Microsoft switched to a TEA algorithm. The code on the chips is largely the same, but for those two differences{{citation needed}}. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[Exploits#MCPX|MCPX exploits]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the BL2 from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. Microsoft implemented a TEA algorithm to create a hash of the FBL and if that was correct, it would jump to 0xffffd400. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xqemu-tools/blob/master/disassemble-mcpx.sh disassemble-mcpx.sh: A bash-script to disassemble/annotate MCPX 1.0 dumps] 03b3d725c4cf08aee0c414a13f0f49734908e904 0 3707 5729 5257 2017-06-20T18:10:01Z Codeasm 2480 /* Method 2: Exact Copy */ added the DD nice option of showing its progress wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Models == {| class="wikitable |- ! Xbox Version ! Manufacturer ! Model Number ! Capacity |- | 1.0? | ? | ? | 8G |- | 1.3+ | Seagate | ? | 10G |} == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] c7b72be09835d97678e06f4bf1ea5cd581e45ad8 1 3798 5730 2017-06-21T11:24:32Z JayFoxRox 2 /* Challenge code */ new section wikitext text/x-wiki == Challenge code == [1:06 PM] JayFoxRox: but the handshake page should also be moved to our wiki [but I'd keep it on the SMC article probably and shorten it a bit] [1:06 PM] JayFoxRox: there is also some ambiguity wether it's 200ms or 250ms [1:08 PM] JayFoxRox: like.. that PIC Challenge article has full code listings for communicating with the PIC, which is entirely unrelated to the challenge lol. it's probably even unrelated to the PIC and just smbus related [1:09 PM] JayFoxRox: also the behaviour is not explained anywhere, but just hidden in the example source code [which uses arguments from @ARGV instead of using the SMBUS read/write routine] lol [1:10 PM] JayFoxRox: really that entire article boils down to: 200ms + <pre> $t1 = ($res_1c << 2) ^ ($res_1d + hex('039')) ^ ($res_1e >> 2) ^ ($res_1f + hex('063')); $t2 = ($res_1c + hex('0b')) ^ ($res_1d >> 2) ^ ($res_1e + hex('1b')); </pre> [1:10 PM] JayFoxRox: and unfortunately perl is not the most readable language for this purpose :stuck_out_tongue: [1:17 PM] JayFoxRox: I'd just have used: <pre> uint8_t a = smc_in(0x1C); uint8_t b = smc_in(0x1D); uint8_t c = smc_in(0x1E); uint8_t d = smc_in(0x1F); uint8_t t1 = (a << 2) ^ (b + 0x39) ^ (c >> 2) ^ (d + 0x63); uint8_t t2 = (a + 0x0B) ^ (b >> 2) ^ (d + 0x1B); uint8_t x = 0x33; uint8_t y = 0xED; for (unsigned int i = 0; i < 4; i++) { x += y ^ t1; y += x ^ t2; } smc_out(0x20, x); smc_out(0x21, y); smc_out(0x01, 0x00); </pre> (edited) [1:18 PM] JayFoxRox: the a-d and x-y things could also be described in a comment, and it could also be rewritten without the datatypes and just a comment like: "All datatypes are unsigned bytes!" [1:19 PM] JayFoxRox: [the out portion might even be bad, I have a hard time understanding that code on the xbox-linux wiki] [1:20 PM] JayFoxRox: like.. "The above is repeated 0x21 and byte2, and 0x01 and data 0x00." what does that even mean? 692992f437c6732b1712ffc9c3e70e5f646f9518 0 3765 5731 5585 2017-06-23T04:59:42Z DaveX 2487 typo wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/NForce}} This documents collects information about the Xbox chipset and its sibling, the nVidia nForce chipset, as well as further relatives. == nForce == The nForce chipset consists of the IGP (Integrated Graphics Processor) Northbridge and the MCP (Media and Communications Processor) Southbridge. Both are available in different flavours: * IGP-64: 64 bit memory bus * IGP-128: 128 bit memory bus (TwinBank), requires two DIMM modules for 128 bit operation * MCP-D: includes Dolby Digital encoder * MCP: Dolby Digital encoder disabled So these are the four possible combinations: {| class="wikitable" |- | | MCP | MCP-D |- | IGP-64 | nForce 220 | nForce 220D |- | IGP-128 | nForce 420 | nForce 420D |} [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/05/31/nvidia_crush_chipset_named_nforce/] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/06/01/nvidia_crush_is_called_nforce/] The VGA controller inside the IGP is a "GeForce2 MX Integrated Graphics" (PCI ID:10de/01a0). Its internal name is NV1A. [https://web.archive.org/web/20100617023830/http://pciids.sourceforge.net/iii/?i=10de] [https://web.archive.org/web/20100617023830/http://www.nvitalia.com/articoli/editoriali/produzione_nvidia_2001.htm] Although IGP-64 and IGP-128 are different and their respective chipsets have different codenames (Crush11 and Crush12, see below), there seems to be no difference from the software side: * The VGA BIOS of the MS-6367 mainboard (nForce 420D configuration, i.e. Crush12) has the internal name "CR11BT.ROM". It also includes the strings "NVIDIA GeForce2 Integrated GPU", "CR11 Board" and "Chip Rev B2". * The PCI IDs seem to be the same for the GPUs inside IGP-64 and IGP-128. == Crush == "Crush" was the codename of the nForce chipset. Crush11 is the nForce 220/220D/230/230-T, Crush12 is the nForce 420/420D/430/430-T, and Crush18 is the nForce2. The "11" probably derives from "NV11", the internal name of the GeForce2 MX. [https://web.archive.org/web/20100617023830/http://users.erols.com/chare/chipsets.htm] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2000/11/17/nvidias_super_secret_crush_spec/] == nForce &amp; Xbox == The Xbox has an IGP-128 that uses an NV2A video core (PCI ID:10de/02a5), which is between the GeForce3 (NV20) and the GeForce4 (NV25). The Southbridge is called "MCP-X" and lacks the PCI card bus (PCI bus #1). [https://web.archive.org/web/20100617023830/http://www.digit-life.com/articles/nvidianforce/] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/showdoc.html?i=1484] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=1535] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/systems/showdoc.aspx?i=1561&amp;p=3] == AMD Heritage == There is the following rumour, which is not fully verified yet: * Microsoft wanted AMD to make the CPU and the chipset for the Xbox, and nVidia to make the video hardware. * When alpha hardware had already bee built, Intel made a better deal * Microsoft agreed to have Intel CPUs; Intel had to modify AMD's chipset to support an AMD CPU * Intel insisted that the brand name AMD could not be associated with the Xbox, so nVidia licensed the AMD chipset. Now the Xbox chipset was by nVidia. * nVidia sold the same chipset for PCs, calling it "nForce". This is the reason why * the Xbox is the only nForce chipset with an Intel CPU * the AMD chipset and the nForce chipset are so similar Evidence: * The AMD and nForce AMD IDE controllers are fully compatible. (Linux kernel: "AMD 755/756/766/8111 and nVidia nForce/2/2s/3/3s/CK804/MCP04 IDE driver for Linux." [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/ide/pci/amd74xx.c]) * The I2C/SMBus controller on the nForce is fully AMD-756/766/68 compatible. [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/i2c/busses/i2c-amd756.c] * The audio controller is i810 compatible - as is the audio controller of the AMD-768 and the AMD-8111. * The nForce and AMD-768 modems are compatible. * At least one register ("VGA_en") in the nForce PCI-to-AGP bridge is compatible with the AMD chipset (AMD-761, 24081.pdf, page 136). * The nForce uses HyperTransport. * [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0307.3/0922.html], [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0305.html] * ''"One man's guess, the silicon is not a major factor. Because the nForce and 760 MP have a similar pin count, they are going to be cost comparable."'' [https://web.archive.org/web/20100617023830/http://overclockers.com/articles446/] {| class="wikitable" |- | | Northbridge | Southbridge |- | AMD-760 | AMD-761 | AMD-766 |- | AMD-760MP | AMD-762 | AMD-766 |- | AMD-760MPX | AMD-762 | AMD-768 |} [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_1133,00.html AMD-760™ Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_739_1130,00.html AMD-760™ MP Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_4296,00.html AMD-760™ MPX Chipset Tech Docs] <br /> The nForce chipset might be based on the AMD-760 chipset. == More Links == [https://web.archive.org/web/20100617023830/http://www.duxcw.com/digest/guides/mb_chip/nforce/print.htm] e0f11fe8054c8033e4da2da84049ce5e1e98c624 0 1 5732 5661 2017-06-23T15:03:39Z JayFoxRox 2 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[DVD-IR Internals]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] 133e02974366277e5a27a99fb33e05b8c71857df 1 3746 5733 5440 2017-06-23T21:28:57Z JayFoxRox 2 /* Incomplete */ new section wikitext text/x-wiki == Crypto notes == The hash function used throughout XBDM is a [https://en.wikipedia.org/wiki/One-way_compression_function#Matyas.E2.80.93Meyer.E2.80.93Oseas Matyas–Meyer–Oseas one-way compression function] built on what appears to be a homegrown [https://en.wikipedia.org/wiki/Feistel_cipher balanced Feistel cipher] with a 64-bit key, 64-bit blocks, and 16 rounds. I can't find references to any of the constants online. == Incomplete == The list is still incomplete. Important functions such as "setmem" are still missing. Can someone <code>strings</code> the file so we have a full commandset somewhere? 0e8646dadf23b258b5422011cd232662ae729ca9 5734 5733 2017-06-23T21:29:15Z JayFoxRox 2 Forgot: Signature added wikitext text/x-wiki == Crypto notes == The hash function used throughout XBDM is a [https://en.wikipedia.org/wiki/One-way_compression_function#Matyas.E2.80.93Meyer.E2.80.93Oseas Matyas–Meyer–Oseas one-way compression function] built on what appears to be a homegrown [https://en.wikipedia.org/wiki/Feistel_cipher balanced Feistel cipher] with a 64-bit key, 64-bit blocks, and 16 rounds. I can't find references to any of the constants online. == Incomplete == The list is still incomplete. Important functions such as "setmem" are still missing. Can someone <code>strings</code> the file so we have a full commandset somewhere? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:29, 23 June 2017 (PDT) cfd9c1e8aaf90653b10459f076be41d296f47cff 0 3799 5735 2017-06-24T01:13:22Z JayFoxRox 2 Rough layout wikitext text/x-wiki * SGE = Scatter Gather Entry * PRD = ? (Same thing as SGE?!) == Global Processor (GP) == == Encode Processor (EP) == == Voice Processor (VP) == === Voice lists === * 2D * 3D * MP === Voice structure === This is 0x80 bytes == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] c8802ffbadf970b9914c76bf99f27a3fb7719298 5736 5735 2017-06-24T01:16:27Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Engine). * SGE = Scatter Gather Entry * PRD = ? (Same thing as SGE?!) == Global Processor (GP) == == Encode Processor (EP) == == Voice Processor (VP) == === Voice lists === * 2D * 3D * MP === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] d1095f990c6c6c73384dc9c043dde79e11b36733 0 3799 5737 5736 2017-06-24T01:23:10Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Engine). * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == == Encode Processor (EP) == == Voice Processor (VP) == === Voice lists === * 2D * 3D * MP === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 56e60f0ca63d31a868b2c166d1d8d43607617503 5738 5737 2017-06-24T01:23:44Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == == Encode Processor (EP) == == Voice Processor (VP) == === Voice lists === * 2D * 3D * MP === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 338f7655b6078a73430687a18b8f025a6912840c 5739 5738 2017-06-25T02:19:55Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == * GPS = GP Scratch (?) * GPF = GP Frames (?) == Encode Processor (EP) == * EPS = EP Scratch (?) * EPF = EP Frames (?) == Voice Processor (VP) == * VPV = VP Voices * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === * 2D * 3D * MP === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 6fe6f6f4321ab4c1a659e4e786b8216550a5d64d 5744 5739 2017-06-25T21:35:24Z JayFoxRox 2 /* Global Processor (GP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == * EPS = EP Scratch (?) * EPF = EP Frames (?) == Voice Processor (VP) == * VPV = VP Voices * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === * 2D * 3D * MP === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] efabb501f1d773f78e358361f5cf1b91aaa1ff3a 5745 5744 2017-06-25T21:35:32Z JayFoxRox 2 /* Encode Processor (EP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == * EPS = EP Scratch (?) * EPF = EP FIFO == Voice Processor (VP) == * VPV = VP Voices * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === * 2D * 3D * MP === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 106e6f4432c931dd645f4e58049c6d3ff5a5f08a 5746 5745 2017-06-26T10:48:23Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == * EPS = EP Scratch (?) * EPF = EP FIFO == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Memory sections === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 29ac18727bf19060fefec9c5eded0887f7e16f41 5747 5746 2017-06-26T10:50:28Z JayFoxRox 2 /* Encode Processor (EP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. * EPS = EP Scratch (?) * EPF = EP FIFO == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Memory sections === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] b47715e7cb41579a327aa7d2f99530526a2a1451 5748 5747 2017-06-26T10:51:59Z JayFoxRox 2 /* Global Processor (GP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. DirectSound allows to load custom DSP code for these effects. * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. * EPS = EP Scratch (?) * EPF = EP FIFO == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Memory sections === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 2a4f004f2e0987304a88ca1dc2da24d3e356f459 5749 5748 2017-06-26T10:52:32Z JayFoxRox 2 More logical order (VP -> GP -> EP) wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Memory sections === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. DirectSound allows to load custom DSP code for these effects. * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. * EPS = EP Scratch (?) * EPF = EP FIFO == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 36149c5b7de840a0aadd49b80da872d11c45f989 5750 5749 2017-06-26T16:09:54Z JayFoxRox 2 /* Global Processor (GP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Memory sections === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. DirectSound allows to load custom DSP code for these effects. GP seems to run at 160 MHz === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. * EPS = EP Scratch (?) * EPF = EP FIFO == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] e7a1d30b646a205279e63f720b1bb66f9a97d76b 5751 5750 2017-06-26T16:10:04Z JayFoxRox 2 /* Encode Processor (EP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Memory sections === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. DirectSound allows to load custom DSP code for these effects. GP seems to run at 160 MHz === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] a3f67ca5148b2e07cf9aa1b8c6447d00b8b0a560 5752 5751 2017-06-26T16:10:24Z JayFoxRox 2 /* Memory sections */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. DirectSound allows to load custom DSP code for these effects. GP seems to run at 160 MHz === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] f043cf30f4b61c8669fa92bb05ba68929619f7ab 5753 5752 2017-06-26T16:12:36Z JayFoxRox 2 /* Global Processor (GP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * [[wikipedia:Head-related transfer function|Head-related transfer function]] * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] * Pitch * Input type (8bit, 16bit, 24bit, ADPCM) * Volume envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. DirectSound allows to load custom DSP code for these effects. The GP DSP seems to run at 160 MHz === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 985696d27123bad4792a1bd9fee5569504cf5aab 5754 5753 2017-06-26T16:18:41Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. DirectSound allows to load custom DSP code for these effects. The GP DSP seems to run at 160 MHz === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] b048d0d3a8f0148967bfd71d1cd6e6e8f682341d 5755 5754 2017-06-26T18:46:18Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The final audio data is encoded to AC3 in the EP{{citation needed}} and written to the EP scratch memory. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} It is then send to the ACI using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 15cbb5ee73c538a106d9fb1cc0992fb8e252d36a 5758 5755 2017-06-26T21:31:25Z JayFoxRox 2 /* Usage in DirectSound */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * Front Left * Center{{citation needed}} * Front Right * Rear Left{{citation needed}} * Rear Right{{citation needed}} * [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} {{FIXME|reason=How does this data get into the EP?}} The final audio data is encoded to AC3 in the EP{{citation needed}} and written to the EP scratch memory. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} It is then send to the ACI using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 42efa37195059d9cd1ff59ec79dfbcaa09b26711 5759 5758 2017-06-26T22:48:33Z JayFoxRox 2 /* Usage in DirectSound */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * Front Left * Center{{citation needed}} * Front Right * Rear Left{{citation needed}} * Rear Right{{citation needed}} * [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] ef685baa132173ac4d1996b2fb65db61b08fbb1a 5760 5759 2017-06-27T00:42:17Z JayFoxRox 2 /* Usage in DirectSound */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * Front Left * Center{{citation needed}} * Front Right * Rear Left{{citation needed}} * Rear Right{{citation needed}} * [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is then send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/5e114f24e4a83bd626f31674e024f439f3709d19/python-scripts/dsp.py Script to inspect APU registers and voice buffers (See master revision for updates)] 507cbdb0aeb41c0afd423fe3ab593be7f69a53c2 5762 5760 2017-06-27T01:33:17Z JayFoxRox 2 /* Related */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * Front Left * Center{{citation needed}} * Front Right * Rear Left{{citation needed}} * Rear Right{{citation needed}} * [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is then send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 0213ff685014d483c0a614cee6ce04828f585654 5766 5762 2017-06-27T01:52:53Z JayFoxRox 2 /* Modifications for Boot Animation */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * Front Left * Center{{citation needed}} * Front Right * Rear Left{{citation needed}} * Rear Right{{citation needed}} * [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 007f5773162fc0dc383a5792a92094fdc151580d 5767 5766 2017-06-27T03:04:51Z DaveX 2487 /* Modifications for Boot Animation */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * Front Left * Center{{citation needed}} * Front Right * Rear Left{{citation needed}} * Rear Right{{citation needed}} * [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 9fb302a724dc639556dad7901787c0858ed68f4c 5770 5767 2017-06-27T13:22:21Z JayFoxRox 2 /* Usage in DirectSound */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}} It is not used during the [[Boot Animation]]. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] b54ad3221f2d8c0ee94313fc35ca0146fcf06400 0 3671 5740 5466 2017-06-25T02:28:10Z JayFoxRox 2 Research suggests there is one voice processor and 2 programmable DSPs, only one of which is controllable by software (I think) wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors (there are 4{{citation needed}} of them) and also the USB, PCI, IDE, etc, controllers{{citation needed}}. The MCPX is also the home to the secret [[MCPX ROM]]. d5ee5ff9b4c6aedad1801b3435e6ae99a6effb0d 5763 5740 2017-06-27T01:35:28Z JayFoxRox 2 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers{{citation needed}}. The MCPX is also the home to the secret [[MCPX ROM]]. 8de2bcb917306270a9245fd289ad8822e2756402 0 3800 5741 2017-06-25T11:34:24Z JayFoxRox 2 Creating this as a possible placeholder and reminder about DSP facts as research happens wikitext text/x-wiki The DSPs in the APU might be DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) d43cc30e18d517112d22123ba309310b96a0896c 5742 5741 2017-06-25T11:35:53Z JayFoxRox 2 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) 010fbcbc4cfdb1f8440624ede45df1c25aedd166 5743 5742 2017-06-25T11:36:47Z JayFoxRox 2 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) According to espes, the DMA stuff is different. 9d0d70417165e3f54ef4be74faf539ab099168a6 5761 5743 2017-06-27T01:03:33Z JayFoxRox 2 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == DMA == ''This section is very incomplete and not much was tested on hardware either'' Sample formats: * 0x0 = 8 bit * 0x1 = 16 bit * 0x2 = 24 bit in MSB * 0x3 = 32 bit * 0x4 * 0x5 * 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) * 0x7 Buffers: * 0x0 = FIFO0 * 0x1 = FIFO1 * 0x2 = FIFO2{{citation needed}} * 0x3 = FIFO3{{citation needed}} * 0x4 * 0x5 * 0x6 * 0x7 * 0x8 * 0x9 * 0xA * 0xB * 0xC * 0xD * 0xE = Circular * 0xF b7dcba17a44f7fdbd0bf5c09806fd0213e46fc1a 10 3801 5756 2017-06-26T18:47:26Z JayFoxRox 2 Created page with "{{#if:{{{2|}}}|{{{1|}}}}}<span style="text-decoration:overline;">{{#if:{{{2|}}}|{{{2}}}|{{{1}}}}}</span>" wikitext text/x-wiki {{#if:{{{2|}}}|{{{1|}}}}}<span style="text-decoration:overline;">{{#if:{{{2|}}}|{{{2}}}|{{{1}}}}}</span> b1552f05c350ed86d6dac41e4a0a80217145a612 5757 5756 2017-06-26T18:48:16Z JayFoxRox 2 wikitext text/x-wiki <span style="text-decoration:overline;">{{{1}}}</span> 009b462cf3c81966b8aa29d90370f0984958891a 0 3802 5764 2017-06-27T01:42:34Z JayFoxRox 2 Placeholder mostly. Link at the end is still dead - will update the repo soon. wikitext text/x-wiki The ACI of the Xbox provides AC97. It's similar to the AMD-768 ACI, but it is accessed through MMIO instead. The datasheet for the AMD-768 can be found at https://web.archive.org/web/20060322081039/http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/24467.pdf . The AC97 implementation only supports playback of 16-bit PCM stereo samples at 48kHz{{FIXME|reason=Not confirmed, but very likely}}. == Register addresses == * 0x110 PCM * 0x170 SPDIF == Usage in DirectSound == AC97 is only used to receive buffers from the [[APU]]. {{FIXME|reason=I know more about this, but too lazy to write it down; JayFoxRox}} == Related links == * [[https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/aci.py Script to inspect ACI registers and AC97 input buffers]] fcf5ecb50ddc36eb96f770b1bf8ea1c0a9209752 5765 5764 2017-06-27T01:43:19Z JayFoxRox 2 wikitext text/x-wiki The ACI of the Xbox provides AC97. It's similar to the AMD-768 ACI, but it is accessed through MMIO instead. The datasheet for the AMD-768 can be found at https://web.archive.org/web/20060322081039/http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/24467.pdf . The AC97 implementation only supports playback of 16-bit PCM stereo samples at 48kHz{{FIXME|reason=Not confirmed, but very likely}}. == Register addresses == * 0x110 PCM * 0x170 SPDIF == Usage in DirectSound == AC97 is only used to receive buffers from the [[APU]]. {{FIXME|reason=I know more about this, but too lazy to write it down; JayFoxRox}} == Related links == * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/aci.py Script to inspect ACI registers and AC97 input buffers] d0094e09ad982f137be66b2b3540aae22e81ef58 6 3803 5768 2017-06-27T03:11:34Z DaveX 2487 GPU emu non-exact rounding issues e.g. in Azurik: Rise of Perathia wikitext text/x-wiki GPU emu non-exact rounding issues e.g. in Azurik: Rise of Perathia 4755131d2894210f5101a3053fd9b587a3bd7e27 0 3685 5769 5292 2017-06-27T03:17:10Z DaveX 2487 image uploaded wikitext text/x-wiki {{Game}} === Known tricky behaviour === ==== Skinning code / Shader rounding mode ==== This game depends on correct GPU rounding. If an emulator suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation the character models will be very broken. [[File:Azurik--Rise-of-Perathia--bugged.png]] IIRC Code is like: A0 = c[113].x + c[113].z = 18 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].x + c[113].z = 21 *do stuff with c[96+A0] to c[98+A0]* A0 = c[113].y * v2 *do stuff with c[96+A0] to c[98+A0]* c[113] is vec4(15, 765, 3, 0). 765 = 3*255. v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255. A0 = 765 * raw/255 = 3*raw. This should all be working, but it's not. [[NV2A/Vertex Shader]] does round-to-zero. Behaviour for GLSL and other modern graphic APIs is undefined.. To work around this rounding issue <code>A0 += 1.0/255.0</code> can be used as a temporary hack 2ba8973623cd779f095b53e61d529ed1a5bcf0e8 0 3804 5771 2017-06-27T21:19:43Z JayFoxRox 2 Created page with "Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM..." wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format code 0x0069. Despite this format-code difference the file formats (including header and data) are otherwise the same. There are no known differences to IMA ADPCM except for the WAV format code. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible. === Index-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM encoding] {{FIXME|reason=Link to explanation of IMA ADPCM WAV file format}} a0281cbf6fa9eb143647633d901bfbf740de70e1 5772 5771 2017-06-28T01:15:28Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format code 0x0069. Despite this format-code difference the file formats (including header and data) are otherwise the same. However, all Xbox ADPCM files seem to use 64 samples per block. Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo). Aside from this there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. === Index-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM encoding] {{FIXME|reason=Link to explanation of IMA ADPCM WAV file format}} c7edc573c62a17695b5bc9353a067230d920cf85 5773 5772 2017-06-28T01:19:52Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format code 0x0069. Despite this format-code difference the file formats (including header and data) are otherwise the same. All Xbox ADPCM files seem to use 64 samples per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo). Aside from this there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. === Index-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM encoding] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM] 799e83ceda51568b9b228057d81d66a187976137 5774 5773 2017-06-28T01:29:07Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. All Xbox ADPCM files seem to use 64 samples per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo). Aside from this there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Index-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM encoding] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM] 6d0cbf183329be40693f5f7f99fccba647466749 5775 5774 2017-06-28T02:00:45Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. All Xbox ADPCM files seem to store 64 input samples per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo). As the decoder-setup in every block contains a predictor for each channel, there will be 65 output samples per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Index-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM encoding] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM] a9e2d007bf6c365aa89225fc5dcea589d6e43d6a 5776 5775 2017-06-28T02:07:27Z JayFoxRox 2 Table cell alignment wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. All Xbox ADPCM files seem to store 64 input samples per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo). As the decoder-setup in every block contains a predictor for each channel, there will be 65 output samples per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM encoding] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM] e8dfde080c7e397ec49ee190c4d442cb9de41c7d 5777 5776 2017-06-28T02:09:13Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. All Xbox ADPCM files seem to store 64 input samples per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo). As the decoder-setup in every block contains a predictor for each channel, there will be 65 output samples per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM block encoding] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV header] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] a76afa529cdab428f0c9086fee5857226423cdc4 5778 5777 2017-06-28T02:10:01Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. All Xbox ADPCM files seem to store 64 input samples per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo). As the decoder-setup in every block contains a predictor for each channel, there will be 65 output samples per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 4cad1ce77826feacc9567fc83f33d99336d7e4d5 5779 5778 2017-06-28T10:48:39Z JayFoxRox 2 Add some table about storage (WIP) wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 input samples per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Snow;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {{FIXME|reason=Fix cell colors, can we somehow set the scope for background color?}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | colspan="4" | P = S0 | colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || S1 || S4 || S3 || S6 || S5 || S8 || S7 | style="background-color:SkyBlue;" | S10 || S9 || S12 || S11 || S14 || S13 || S16 || S15 | style="background-color:SkyBlue;" | S50 || S49 || S52 || S51 || S54 || S53 || S56 || S55 | style="background-color:SkyBlue;" | S58 || S57 || S60 || S59 || S62 || S61 || S64 || S63 |} ==== Stereo ==== {{FIXME|reason=Add table}} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] cdb94548699b19d50c4414cad66ad9b599c4eed4 5780 5779 2017-06-28T10:49:43Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Snow;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {{FIXME|reason=Fix cell colors, can we somehow set the scope for background color?}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | colspan="4" | P = S0 | colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || S1 || S4 || S3 || S6 || S5 || S8 || S7 | style="background-color:SkyBlue;" | S10 || S9 || S12 || S11 || S14 || S13 || S16 || S15 | style="background-color:SkyBlue;" | S50 || S49 || S52 || S51 || S54 || S53 || S56 || S55 | style="background-color:SkyBlue;" | S58 || S57 || S60 || S59 || S62 || S61 || S64 || S63 |} ==== Stereo ==== {{FIXME|reason=Add table}} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 81c05738d39c12c55ac13bda4b063a096541d5db 5781 5780 2017-06-28T10:50:08Z JayFoxRox 2 /* Mono */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Snow;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {{FIXME|reason=Fix cell colors, can we somehow set the scope for background color?}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" | colspan="4" | P = S0 | style="background-color:SkyBlue;" | colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || S1 || S4 || S3 || S6 || S5 || S8 || S7 | style="background-color:SkyBlue;" | S10 || S9 || S12 || S11 || S14 || S13 || S16 || S15 | style="background-color:SkyBlue;" | S50 || S49 || S52 || S51 || S54 || S53 || S56 || S55 | style="background-color:SkyBlue;" | S58 || S57 || S60 || S59 || S62 || S61 || S64 || S63 |} ==== Stereo ==== {{FIXME|reason=Add table}} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 2a334fee575025bf00fd2cd4ce4413784f075465 5782 5781 2017-06-28T10:50:30Z JayFoxRox 2 /* Block format */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Snow;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {{FIXME|reason=Fix cell colors, can we somehow set the scope for background color?}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || S1 || S4 || S3 || S6 || S5 || S8 || S7 | style="background-color:SkyBlue;" | S10 || S9 || S12 || S11 || S14 || S13 || S16 || S15 | style="background-color:SkyBlue;" | S50 || S49 || S52 || S51 || S54 || S53 || S56 || S55 | style="background-color:SkyBlue;" | S58 || S57 || S60 || S59 || S62 || S61 || S64 || S63 |} ==== Stereo ==== {{FIXME|reason=Add table}} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] d2c820a2860c575c5f5a6e07e646dd4ca051d18a 5783 5782 2017-06-28T10:56:45Z JayFoxRox 2 /* Mono */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Snow;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S50 || style="background-color:SkyBlue;" | S49 | style="background-color:SkyBlue;" | S52 || style="background-color:SkyBlue;" | S51 | style="background-color:SkyBlue;" | S54 || style="background-color:SkyBlue;" | S53 | style="background-color:SkyBlue;" | S56 || style="background-color:SkyBlue;" | S55 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Add table}} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] d1cc54c79b13b6b57e2172bcc6727dd3f7b6407e 5784 5783 2017-06-28T11:00:15Z JayFoxRox 2 /* Block format */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S50 || style="background-color:SkyBlue;" | S49 | style="background-color:SkyBlue;" | S52 || style="background-color:SkyBlue;" | S51 | style="background-color:SkyBlue;" | S54 || style="background-color:SkyBlue;" | S53 | style="background-color:SkyBlue;" | S56 || style="background-color:SkyBlue;" | S55 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Add table}} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] d8d5edb4da778f2ff3f9cb09bb1dba1cec6c84c0 5785 5784 2017-06-28T11:12:00Z JayFoxRox 2 Stereo Table (WIP) wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S50 || style="background-color:SkyBlue;" | S49 | style="background-color:SkyBlue;" | S52 || style="background-color:SkyBlue;" | S51 | style="background-color:SkyBlue;" | S54 || style="background-color:SkyBlue;" | S53 | style="background-color:SkyBlue;" | S56 || style="background-color:SkyBlue;" | S55 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 | colspan="8" | W4 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 | colspan="2" | B16 || colspan="2" | B17 || colspan="2" | B18 || colspan="2" | B19 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 | style="background-color:White;" | S10 || style="background-color:White;" | S9 | style="background-color:White;" | S12 || style="background-color:White;" | S11 | style="background-color:White;" | S14 || style="background-color:White;" | S13 | style="background-color:White;" | S16 || style="background-color:White;" | S15 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] d2aeb96b7f7373559e8b8e18e2bae81ce74e68dc 5786 5785 2017-06-28T11:12:43Z JayFoxRox 2 /* Block format */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right * All indices start at 0 ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S50 || style="background-color:SkyBlue;" | S49 | style="background-color:SkyBlue;" | S52 || style="background-color:SkyBlue;" | S51 | style="background-color:SkyBlue;" | S54 || style="background-color:SkyBlue;" | S53 | style="background-color:SkyBlue;" | S56 || style="background-color:SkyBlue;" | S55 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 | colspan="8" | W4 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 | colspan="2" | B16 || colspan="2" | B17 || colspan="2" | B18 || colspan="2" | B19 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 | style="background-color:White;" | S10 || style="background-color:White;" | S9 | style="background-color:White;" | S12 || style="background-color:White;" | S11 | style="background-color:White;" | S14 || style="background-color:White;" | S13 | style="background-color:White;" | S16 || style="background-color:White;" | S15 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] ff30813bb3ad65f62964109a2da8e1a764927156 0 3804 5787 5786 2017-06-28T11:12:58Z JayFoxRox 2 /* Block format */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S50 || style="background-color:SkyBlue;" | S49 | style="background-color:SkyBlue;" | S52 || style="background-color:SkyBlue;" | S51 | style="background-color:SkyBlue;" | S54 || style="background-color:SkyBlue;" | S53 | style="background-color:SkyBlue;" | S56 || style="background-color:SkyBlue;" | S55 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 | colspan="8" | W4 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 | colspan="2" | B16 || colspan="2" | B17 || colspan="2" | B18 || colspan="2" | B19 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 | style="background-color:White;" | S10 || style="background-color:White;" | S9 | style="background-color:White;" | S12 || style="background-color:White;" | S11 | style="background-color:White;" | S14 || style="background-color:White;" | S13 | style="background-color:White;" | S16 || style="background-color:White;" | S15 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 8ca1b2b6751b5e8d00f411bedfd3e0d75e527a56 5788 5787 2017-06-28T11:13:51Z JayFoxRox 2 /* Stereo */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W7 | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B28 || colspan="2" | B29 || colspan="2" | B30 || colspan="2" | B31 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S50 || style="background-color:SkyBlue;" | S49 | style="background-color:SkyBlue;" | S52 || style="background-color:SkyBlue;" | S51 | style="background-color:SkyBlue;" | S54 || style="background-color:SkyBlue;" | S53 | style="background-color:SkyBlue;" | S56 || style="background-color:SkyBlue;" | S55 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] ba85ecfe06bb3b8ee97087f4a440ecce98ae1577 5789 5788 2017-06-28T11:15:21Z JayFoxRox 2 /* Mono */ wikitext text/x-wiki Xbox used it's own WAV file format to encode ADPCM data. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 74e91b4daa39bdffb94a93da37eaf5c7cf629277 5790 5789 2017-06-28T11:21:52Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 |- ! 0 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |- ! 8 | -1 || -1 || -1 || -1 || 2 || 4 || 6 || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] f7a9a00f4d98fecc05fbee8bed25cf68bc49a6a6 5793 5790 2017-06-28T11:33:32Z JayFoxRox 2 /* Index-Table */ wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 |- ! {{no-select}} | 0 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8{{hc}} |- ! {{no-select}} | 8 | -1{{hc}} || -1{{hc}} || -1 {{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] c722e9778ca1ac2e98d68fa115f5f8d5999cb96d 5795 5793 2017-06-28T11:35:04Z JayFoxRox 2 /* Step-Table */ wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 |- ! {{no-select}} | 0 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8{{hc}} |- ! {{no-select}} | 8 | -1{{hc}} || -1{{hc}} || -1 {{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8 |} === Step-Table === Same as IMA ADPCM {{FIXME|reason=Use no-select and hc macros}} {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] c1c580bc508a38294a4b49c6ccc4f80e0fad1fad 5797 5795 2017-06-28T11:47:30Z JayFoxRox 2 Removed bad space wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 |- ! {{no-select}} | 0 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8{{hc}} |- ! {{no-select}} | 8 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8 |} === Step-Table === Same as IMA ADPCM {{FIXME|reason=Use no-select and hc macros}} {| class="wikitable" style="text-align: right;" ! || +0 || +1 || +2 || +3 || +4 || +5 || +6 || +7 || +8 || +9 |- ! 0 | 7 || 8 || 9 || 10 || 11 || 12 || 13 || 14 || 16 || 17 |- ! 10 | 19 || 21 || 23 || 25 || 28 || 31 || 34 || 37 || 41 || 45 |- ! 20 | 50 || 55 || 60 || 66 || 73 || 80 || 88 || 97 || 107 || 118 |- ! 30 | 130 || 143 || 157 || 173 || 190 || 209 || 230 || 253 || 279 || 307 |- ! 40 | 337 || 371 || 408 || 449 || 494 || 544 || 598 || 658 || 724 || 796 |- ! 50 | 876 || 963 || 1060 || 1166 || 1282 || 1411 || 1552 || 1707 || 1878 || 2066 |- ! 60 | 2272 || 2499 || 2749 || 3024 || 3327 || 3660 || 4026 || 4428 || 4871 || 5358 |- ! 70 | 5894 || 6484 || 7132 || 7845 || 8630 || 9493 || 10442 || 11487 || 12635 || 13899 |- ! 80 | 15289 || 16818 || 18500 || 20350 || 22385 || 24623 || 27086 || 29794 || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 72e18d306837449d9714ce3639ba43107e6348fc 5798 5797 2017-06-28T11:51:36Z JayFoxRox 2 Make table easy to copy wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | rowspan="3" | ... | colspan="8" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 |- ! {{no-select}} | 0 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8{{hc}} |- ! {{no-select}} | 8 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 ! {{no-select}} | +8 ! {{no-select}} | +9 |- ! {{no-select}} | 0 | 7{{hc}} || 8{{hc}} || 9{{hc}} || 10{{hc}} || 11{{hc}} || 12{{hc}} || 13{{hc}} || 14{{hc}} || 16{{hc}} || 17{{hc}} |- ! {{no-select}} | 10 | 19{{hc}} || 21{{hc}} || 23{{hc}} || 25{{hc}} || 28{{hc}} || 31{{hc}} || 34{{hc}} || 37{{hc}} || 41{{hc}} || 45{{hc}} |- ! {{no-select}} | 20 | 50{{hc}} || 55{{hc}} || 60{{hc}} || 66{{hc}} || 73{{hc}} || 80{{hc}} || 88{{hc}} || 97{{hc}} || 107{{hc}} || 118{{hc}} |- ! {{no-select}} | 30 | 130{{hc}} || 143{{hc}} || 157{{hc}} || 173{{hc}} || 190{{hc}} || 209{{hc}} || 230{{hc}} || 253{{hc}} || 279{{hc}} || 307{{hc}} |- ! {{no-select}} | 40 | 337{{hc}} || 371{{hc}} || 408{{hc}} || 449{{hc}} || 494{{hc}} || 544{{hc}} || 598{{hc}} || 658{{hc}} || 724{{hc}} || 796{{hc}} |- ! {{no-select}} | 50 | 876{{hc}} || 963{{hc}} || 1060{{hc}} || 1166{{hc}} || 1282{{hc}} || 1411{{hc}} || 1552{{hc}} || 1707{{hc}} || 1878{{hc}} || 2066{{hc}} |- ! {{no-select}} | 60 | 2272{{hc}} || 2499{{hc}} || 2749{{hc}} || 3024{{hc}} || 3327{{hc}} || 3660{{hc}} || 4026{{hc}} || 4428{{hc}} || 4871{{hc}} || 5358{{hc}} |- ! {{no-select}} | 70 | 5894{{hc}} || 6484{{hc}} || 7132{{hc}} || 7845{{hc}} || 8630{{hc}} || 9493{{hc}} || 10442{{hc}} || 11487{{hc}} || 12635{{hc}} || 13899{{hc}} |- ! {{no-select}} | 80 | 15289{{hc}} || 16818{{hc}} || 18500{{hc}} || 20350{{hc}} || 22385{{hc}} || 24623{{hc}} || 27086{{hc}} || 29794{{hc}} || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 26bbf1a69d1548d4376b3605840223b3fb7a56c6 5799 5798 2017-06-28T20:55:28Z JayFoxRox 2 /* Mono */ wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (65:36 compression ratio = 44.6% compression). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" width="20%" | W0 | colspan="8" width="20%" | W1 | colspan="8" width="20%" | W2 | rowspan="3" width="5%" | ... | colspan="8" width="20%" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 |- ! {{no-select}} | 0 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8{{hc}} |- ! {{no-select}} | 8 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 ! {{no-select}} | +8 ! {{no-select}} | +9 |- ! {{no-select}} | 0 | 7{{hc}} || 8{{hc}} || 9{{hc}} || 10{{hc}} || 11{{hc}} || 12{{hc}} || 13{{hc}} || 14{{hc}} || 16{{hc}} || 17{{hc}} |- ! {{no-select}} | 10 | 19{{hc}} || 21{{hc}} || 23{{hc}} || 25{{hc}} || 28{{hc}} || 31{{hc}} || 34{{hc}} || 37{{hc}} || 41{{hc}} || 45{{hc}} |- ! {{no-select}} | 20 | 50{{hc}} || 55{{hc}} || 60{{hc}} || 66{{hc}} || 73{{hc}} || 80{{hc}} || 88{{hc}} || 97{{hc}} || 107{{hc}} || 118{{hc}} |- ! {{no-select}} | 30 | 130{{hc}} || 143{{hc}} || 157{{hc}} || 173{{hc}} || 190{{hc}} || 209{{hc}} || 230{{hc}} || 253{{hc}} || 279{{hc}} || 307{{hc}} |- ! {{no-select}} | 40 | 337{{hc}} || 371{{hc}} || 408{{hc}} || 449{{hc}} || 494{{hc}} || 544{{hc}} || 598{{hc}} || 658{{hc}} || 724{{hc}} || 796{{hc}} |- ! {{no-select}} | 50 | 876{{hc}} || 963{{hc}} || 1060{{hc}} || 1166{{hc}} || 1282{{hc}} || 1411{{hc}} || 1552{{hc}} || 1707{{hc}} || 1878{{hc}} || 2066{{hc}} |- ! {{no-select}} | 60 | 2272{{hc}} || 2499{{hc}} || 2749{{hc}} || 3024{{hc}} || 3327{{hc}} || 3660{{hc}} || 4026{{hc}} || 4428{{hc}} || 4871{{hc}} || 5358{{hc}} |- ! {{no-select}} | 70 | 5894{{hc}} || 6484{{hc}} || 7132{{hc}} || 7845{{hc}} || 8630{{hc}} || 9493{{hc}} || 10442{{hc}} || 11487{{hc}} || 12635{{hc}} || 13899{{hc}} |- ! {{no-select}} | 80 | 15289{{hc}} || 16818{{hc}} || 18500{{hc}} || 20350{{hc}} || 22385{{hc}} || 24623{{hc}} || 27086{{hc}} || 29794{{hc}} || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] 19117e02d6bcc3906f99477b03df8cafcb8eff99 10 3805 5791 2017-06-28T11:29:26Z JayFoxRox 2 Created page with "style="-webkit-user-select: none;-khtml-user-select: none;-moz-user-select: none;-ms-user-select: none;-o-user-select: none;user-select: none;"" wikitext text/x-wiki style="-webkit-user-select: none;-khtml-user-select: none;-moz-user-select: none;-ms-user-select: none;-o-user-select: none;user-select: none;" 706577727232a27e16ddbb085f3d252dc6135750 10 3806 5792 2017-06-28T11:33:17Z JayFoxRox 2 Created page with "<noinclude>Creates a hidden comma symbol which can still be copied</noinclude><span style="display:hidden">,</span>" wikitext text/x-wiki <noinclude>Creates a hidden comma symbol which can still be copied</noinclude><span style="display:hidden">,</span> 2f318ff1b5179d422a4b79b0e31ab2c0f48e2282 5794 5792 2017-06-28T11:34:06Z JayFoxRox 2 This had a bug wikitext text/x-wiki <noinclude>Creates a hidden comma symbol which can still be copied</noinclude><span style="display:none;">,</span> e8d9031380eda992a38cd0251762af0422fb941f 5796 5794 2017-06-28T11:45:58Z JayFoxRox 2 wikitext text/x-wiki <noinclude>Creates a hidden comma symbol which can still be copied</noinclude><span style="font-size: 0; color: rgba(0,0,0,0);">,</span> 4bc0aa18e1d3828525f6d46e75ccd1c61cd8f339 0 3800 5800 5761 2017-06-28T23:37:44Z JayFoxRox 2 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == DMA == ''This section is very incomplete and not much was tested on hardware either'' Sample formats: * 0x0 = 8 bit * 0x1 = 16 bit * 0x2 = 24 bit in MSB * 0x3 = 32 bit * 0x4 * 0x5 * 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) * 0x7 Buffers: * 0x0 = FIFO0 * 0x1 = FIFO1 * 0x2 = FIFO2{{citation needed}} * 0x3 = FIFO3{{citation needed}} * 0x4 * 0x5 * 0x6 * 0x7 * 0x8 * 0x9 * 0xA * 0xB * 0xC * 0xD * 0xE = Circular * 0xF == Related links == * [http://www.zdomain.com/a56.html A56, open-source assembler for the 56000 architecture] 1e801f585797ed4d9db741dd4a52ef98265d2f4a 5804 5800 2017-06-28T23:47:41Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == DMA == ''This section is very incomplete and not much was tested on hardware either'' Sample formats: * 0x0 = 8 bit * 0x1 = 16 bit * 0x2 = 24 bit in MSB * 0x3 = 32 bit * 0x4 * 0x5 * 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) * 0x7 Buffers: * 0x0 = FIFO0 * 0x1 = FIFO1 * 0x2 = FIFO2{{citation needed}} * 0x3 = FIFO3{{citation needed}} * 0x4 * 0x5 * 0x6 * 0x7 * 0x8 * 0x9 * 0xA * 0xB * 0xC * 0xD * 0xE = Circular * 0xF == Related links == * [http://www.zdomain.com/a56.html A56, open-source assembler for the similar 56000 architecture] 02d9b27d087fda50212881d71840e2aed7accdbd 0 3799 5801 5770 2017-06-28T23:39:19Z JayFoxRox 2 /* Encode Processor (EP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP runs all enabled sound effects on the voice bins. The GP DSP seems to run at 160 MHz === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 3f639d6c3688a3ac3e9afa0503cadb67e7f828f9 5802 5801 2017-06-28T23:40:35Z JayFoxRox 2 /* Global Processor (GP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for filter / effects. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 246b2811ec7468fbb410a63c550e19cb90873428 5803 5802 2017-06-28T23:46:28Z JayFoxRox 2 /* Usage in DirectSound */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] fc3f4c2ef7750b36954a8ecc3f54ba2ded7379bc 5805 5803 2017-06-29T00:07:06Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch * 2x Pitch (?) envelope * 2x LFO (?) envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 10487e0ed2dd277bf8aa4f5a330f5872a0635bef 5806 5805 2017-06-30T20:25:37Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) * Volume Envelope * Pitch / Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes === Envelopes === * Delay = Time where envelope stays at 0% until attack * Attack = Rate at which the envelope goes from 0 to 100% * Hold = Time the envelope stays at 100% * Decay = Rate at which the envelope goes from 100% to sustain level * Sustain = Level at which the envelope stays while the voice is being played * Release = Rate at which the envelope goes from current level to 0% {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 800acc38380859f9a25e84372dac27245c14a4fb 5807 5806 2017-06-30T20:26:18Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) * Volume Envelope * Pitch / Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === * Delay = Time where envelope stays at 0% until attack * Attack = Rate at which the envelope goes from 0 to 100% * Hold = Time the envelope stays at 100% * Decay = Rate at which the envelope goes from 100% to sustain level * Sustain = Level at which the envelope stays while the voice is being played * Release = Rate at which the envelope goes from current level to 0% {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 024096d4816bc87bded65780208f206986f1084e 5808 5807 2017-06-30T21:01:22Z JayFoxRox 2 Filter modes.. holy shit wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) * Volume Envelope * Pitch / Cutoff Envelope * Optionally one of the following filters modes: * For 2D Mono: * DLS2 Low-Pass * Parametric Equalizer * DLS2 Low-Pass + Parametric Equalizer * For 2D Stereo: * DLS2 Low-Pass * Parametric Equalizer * For 3D: * DLS2 Low-Pass + I3DL2 Reverb * Parametric Equalizer + I3DL2 Reverb * I3DL2 Reverb * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === * Delay = Time where envelope stays at 0% until attack * Attack = Rate at which the envelope goes from 0 to 100% * Hold = Time the envelope stays at 100% * Decay = Rate at which the envelope goes from 100% to sustain level * Sustain = Level at which the envelope stays while the voice is being played * Release = Rate at which the envelope goes from current level to 0% {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Related notes == * [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] * [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] * [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] f428914bd7d64983685e9111558e3dd1d07b18f1 5809 5808 2017-06-30T21:01:59Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / Cutoff Envelope * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === * Delay = Time where envelope stays at 0% until attack * Attack = Rate at which the envelope goes from 0 to 100% * Hold = Time the envelope stays at 100% * Decay = Rate at which the envelope goes from 100% to sustain level * Sustain = Level at which the envelope stays while the voice is being played * Release = Rate at which the envelope goes from current level to 0% {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Related notes == * [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] * [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] * [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 767bacca8cb74af0235fa2f029c1636c725f9df3 5810 5809 2017-06-30T21:05:51Z JayFoxRox 2 /* Related notes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / Cutoff Envelope * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === * Delay = Time where envelope stays at 0% until attack * Attack = Rate at which the envelope goes from 0 to 100% * Hold = Time the envelope stays at 100% * Decay = Rate at which the envelope goes from 100% to sustain level * Sustain = Level at which the envelope stays while the voice is being played * Release = Rate at which the envelope goes from current level to 0% {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers] 624ff2eb17dc3bedc5280be852b8fb94cdf66dae 5811 5810 2017-06-30T21:06:29Z JayFoxRox 2 /* Related */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / Cutoff Envelope * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === * Delay = Time where envelope stays at 0% until attack * Attack = Rate at which the envelope goes from 0 to 100% * Hold = Time the envelope stays at 100% * Decay = Rate at which the envelope goes from 100% to sustain level * Sustain = Level at which the envelope stays while the voice is being played * Release = Rate at which the envelope goes from current level to 0% {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] be6693a0e23360af9abc29197997c097a3c13500 5812 5811 2017-07-01T13:12:34Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / Cutoff Envelope * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 005a10a77d26fb73c2405f2a67b1ff0b88978b1d 5813 5812 2017-07-01T13:13:29Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] b3010e48bd10e40b18d8b8057d41f31172d6b982 5814 5813 2017-07-01T13:49:26Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz{{citation needed|reason=Derived from the following formulas, but probably correct as 48000/3 = 1500 = good clock divider}}. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 5002e35cde2cdb160cdce36ce500c119de792a07 5815 5814 2017-07-01T13:50:03Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz{{citation needed|reason=Derived from the following formulas, but probably correct as 48000/3 = 1500 = good clock divider}}. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 411511435e87277b71d004e98eed6e7d4d4ecf0d 5816 5815 2017-07-01T14:25:23Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz{{citation needed|reason=Derived from the following formulas, but probably correct as 48000/32 = 1500 = good clock divider}}. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] e936e9c247869428538af29ce13e5d312c58e6db 5818 5816 2017-07-01T14:58:47Z JayFoxRox 2 Measured the actual speeds and visualized the results wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] c0c3c2ddc50f9641ed7a29f5af29ceafb507b2ae 5819 5818 2017-07-01T15:25:29Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== {{FIXME|reason=Research}} ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] a1334060ef050f9c78865baaf71aaa47e7e50ae6 5821 5819 2017-07-01T15:54:46Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. {{FIXME|reason=Add units and graphics}} ==== Volume Envelope ==== The volume envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Pitch / Cutoff Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] c23f57b22d168fadf5877b558ba8db1991498dc0 5824 5821 2017-07-01T16:30:41Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Volume Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Volume Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. ==== Volume Envelope ==== The volume envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] bb7e5d118802f6d933ded6750d9135a9fef7ff2d 5825 5824 2017-07-01T17:05:40Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] a32646253024583e67740e5c02a3fe1f38b1c410 5826 5825 2017-07-01T18:18:39Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== {{FIXME|reason=Untested. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c: Cutoff frequency * r: Resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] a65740937f7de95b35e151aeb882f4eeade1bc29 5827 5826 2017-07-01T20:09:19Z JayFoxRox 2 /* DLS2 */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 226a7a47ed656ff3e45f826c2a0872d4e77fc519 5828 5827 2017-07-01T20:50:03Z Codeasm 2480 /* Voice Processor (VP) */ Source link for number of voices wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices[https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] c7ba0fa009167b39b153443f376bd6e8a86fda47 5830 5828 2017-07-01T21:09:38Z Codeasm 2480 /* Voice Processor (VP) */ sound guy needs to be there somewhere. www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 3cd0f121dbc7cb1f27be0390c9f1bbf31078e7e9 5831 5830 2017-07-01T22:15:08Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] b1843fad320ed72f70cf9a2b71cb96cf23d1b753 5832 5831 2017-07-01T22:31:47Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * 8 target bins, each with a custom volume for this voice There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}}{{FIXME|reason=At which COUNT does this start, at which level does this end? Where would an amplitude be stored?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] e7b0a7d46e3a007a641387195ec33d55d9f239cd 5833 5832 2017-07-01T22:38:48Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this: * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}}{{FIXME|reason=At which COUNT does this start, at which level does this end? Where would an amplitude be stored?}} * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope hits the zero level during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 37ce5815955ae8e1123eea1809aa484770949bcd 5834 5833 2017-07-02T13:48:14Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register is 0 ** LVL is continously updated to sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at the full releaserate, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** The actual output level is probably determined like: <code>max(COUNT - LVL, 0)</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 3b414c79db6080bbfb1f329fa6c4920aaddb027f 1 3807 5817 2017-07-01T14:27:38Z JayFoxRox 2 /* Envelope COUNT register clock */ new section wikitext text/x-wiki == Envelope COUNT register clock == In my experiments, using the longest envelopes seems to use 1500 Hz (512 / 48000 Hz). However, when doing shorter tests it seemed more like 1600 Hz (480 / 48000 Hz). I'm thinking that one of the COUNT register bits actually controls this. All tests were done with HOLD and ATTACK. 0b042f05e9a6927e5024a80f49de16e6f3cdc31b 5820 5817 2017-07-01T15:26:33Z JayFoxRox 2 Resolved, I visualized the envelope running at 1500 Hz and the buffer at 48kHz, however, the buffer was actually at 44.1kHz = my visualization was wrong wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 10 3747 5822 5443 2017-07-01T15:57:11Z JayFoxRox 2 wikitext text/x-wiki ^{''[<span title="This information is incomplete and needs more work or research. {{{reason}}}">FIXME</span>]''}<noinclude> ==Documentation== ''<nowiki>{{FIXME}}</nowiki>'' * Tells a visitors that something is missing. * Displays: ^{''[<span title="This information is incomplete and needs more work or research">FIXME</span>]''}<noinclude> * If you see FIXME somewhere, try to add the missing information to it <noinclude> [[Category:Templates|{{PAGENAME}}]]</noinclude> 8e85a91c3fbaf2431d9f14baf6176c3419b778b3 5823 5822 2017-07-01T15:58:21Z JayFoxRox 2 wikitext text/x-wiki ^{''[<span title="{{{reason|This information is incomplete and needs more work or research.}}}">FIXME</span>]''}<noinclude> ==Documentation== ''<nowiki>{{FIXME}}</nowiki>'' * Tells a visitors that something is missing. * Displays: ^{''[<span title="This information is incomplete and needs more work or research">FIXME</span>]''}<noinclude> * If you see FIXME somewhere, try to add the missing information to it <noinclude> [[Category:Templates|{{PAGENAME}}]]</noinclude> e356d6b5a2aacbb02ac0070aea24350ea1ca35dc 0 3671 5829 5763 2017-07-01T20:52:23Z Codeasm 2480 added source links, altho those arent 100% complete or correct (56K modems arent in the MCPX at all) wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. The MCPX is also the home to the secret [[MCPX ROM]]. f817e7698c6fa90f3c2891b4a798220818d1ac70 0 3706 5835 5566 2017-07-02T21:58:44Z Wayo 2479 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blitz Games |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 78d4141b980a4b6648f3969d38083d88b3162477 0 3751 5836 5721 2017-07-03T07:23:59Z Codeasm 2480 /* Savegames */ Added the Frogger exploit (as seen in presentations) and recent addition THPS4 (grimdoomers work) wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310] == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 391af3fbad66618ba0f54669a240b3dce7bcc1a5 0 3706 5837 5835 2017-07-03T07:32:05Z Wayo 2479 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 6a14218db3e0f445b7da9cf046ca611a4a223036 5842 5837 2017-07-03T16:51:48Z Wayo 2479 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 6afc5544e8bf19c962b1a1bd0557310fceb3027e 0 3751 5838 5836 2017-07-03T07:43:34Z Codeasm 2480 /* Tony Hawk's Pro Skater 4 */ added grimdoomers exploit (also chat snippet I had from him.) wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 9b2f115fc0cee98f99c90c9aa4287f6830b608df 5839 5838 2017-07-03T07:44:14Z Codeasm 2480 /* Tony Hawk's Pro Skater 4 */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] defef64838e4e6d5f731ced28dd6b62ccf45923e 5840 5839 2017-07-03T08:12:36Z Codeasm 2480 /* Savegames */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] d5f15656dfdb4e1038c1883e41885d97efe94e20 5893 5840 2017-07-16T14:18:58Z JayFoxRox 2 wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Unsure what data it is yet (can only be dumped to AC3 but I have no AC3 / Toslink sniffer) * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is likely to be lost. However, this was not tested in praxis. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be risky as harddisk contents have to be modified for the temporary softmod. | Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 63ad8ba4cfa778b626f56228ef41e55beff00685 0 3700 5841 5717 2017-07-03T12:51:46Z Codeasm 2480 /* Dumping */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middel the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unkown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] f02a5fa1a29a27380d771d5b6ba1724b6da2e825 1 3808 5843 2017-07-03T19:07:21Z Codeasm 2480 Created page with "Some versions now are considered just lib versions and not xdk or kernel. further research needs to be done, ill keep this wiki in check with my new findings aswell to preven..." wikitext text/x-wiki Some versions now are considered just lib versions and not xdk or kernel. further research needs to be done, ill keep this wiki in check with my new findings aswell to prevent mistakes due my list when I started to look into wich XDKs where leaked or a complete list of known kernels and NOT any hacked ones. I do hope my search and my work are helpfull and any suggestions are welcome. I did get some ppl who asked to get their names removed or complete versions, but so far I managed to find proof for most versions to have excisted in some way. most are either a kernel or Lib inside an xbe. --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 12:07, 3 July 2017 (PDT) ede6a4b695024f3da74ba81f96f30f76c3efeab9 5844 5843 2017-07-03T19:30:45Z Codeasm 2480 5933/5911 weirdness wikitext text/x-wiki == CodeAsms kernel/lib/XDK list == Some versions now are considered just lib versions and not xdk or kernel. I yet have to make a change to my version files to reflect wich are what. it might else lead to people believe there where more kernels or XDK than MS officialy made (they could have iterated internaly a certain library but never builded a full SDK, kernel or Dashboard for that particular version. it became very clear my list had shortcommings making the 360 and Xbox one list. --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 12:07, 3 July 2017 (PDT) == 5933/5911 == XBOX XDK 5933 is known to be leaked by WAM. there are sofar no known games wich are compiled using 5911 libs or a entire SDK unless someone comes forward with it. I did find Cxbx-reloaded to mention it on line: 1766 of Convert.h [https://github.com/Cxbx-Reloaded/Cxbx-Reloaded/blob/master/src/CxbxKrnl/EmuD3D8/Convert.h#L1766 ] but this seemed a backport done by espes. --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 12:30, 3 July 2017 (PDT) 0722e6fd682c0e60cc90b4692dd15751cde41b2c 0 12 5845 5242 2017-07-03T19:32:15Z Codeasm 2480 /* List of known versions */ wikitext text/x-wiki The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions == {| class="wikitable" ! Version ! Comments |- ! 3424 | April 2001 XDK and SDK (03.01.01 - New for April XDK release) |- ! 3521 | May XDK 2001 |- ! 3911 | August XDK 2001 (( Final Hardware Recovery) (build on WIN2000 5. 2134/2195 ? 5.1.2258.400)(*) |- ! 3925 | Retail? XDK(*) |- ! 3936 | (*) |- ! 3937 | (*) |- ! 3941 | (*) |- ! 3948 | (*) |- ! 3950 | (*) |- ! 4020 | Seen on an official Xbox recovery tool |- ! 4034 | (*) |- ! 4039 | (*) |- ! 4134 | December 2001 XDK (*) |- ! 4242 | February 2002 XDK (*) |- ! 4361 | March 2002 XDK |- ! 4400 | rare |- ! 4432 | April 2002 XDK |- ! 4531 | May 2002 XDK |- ! 4627 | June 2002 XDK |- ! 4721 | July 2002 XDK |- ! 4831 | August 2002 XDK |- ! 4928 | September 2002 XDK |- ! 5028 | October 2002 XDK |- ! 5120 | November 2002 XDK |- ! 5233 | December 2002 XDK |- ! 5344 | February 2003 XDK |- ! 5455 | April 2003 XDK |- ! 5558 | June 2003 XDK |- ! 5659 | August 2003 XDK |- ! 5788 | November 2003 XDK |- ! 5849 | December 2003 XDK |- ! 5849 | .16 |- ! 5933 | uncertain number - Dxbx code mentions 5911 (wich seemed incorrect) |- ! 5960 | last official dashboard |} (*) : Earlier XDK's contained libraries with different versions numbers. Before or around XDK version 4361, all libraries in the XDK were given the same version number. Note : An even more complete listing can be found here : http://codeasm.com/xbox/files/Xbox%20Kernel_Dash_XDK%20versions.txt 223737ec4fdf11b9bc85a65d17e70f6a04874a75 0 3799 5846 5834 2017-07-03T20:32:17Z JayFoxRox 2 More details wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at the full releaserate, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>max(COUNT - LVL, 0)</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] b5b6f6ed664a553e3ddcb19cb4672e3eaec4f169 5847 5846 2017-07-03T20:46:22Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at the full releaserate, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>max(COUNT - LVL, 0)</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] c45becd1027f4f2dec8bda80328e19e81f7e8d8f 5848 5847 2017-07-04T11:01:21Z JayFoxRox 2 /* Related notes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down. ** When sustain level is reached the decay section is over ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at the full releaserate, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>max(COUNT - LVL, 0)</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 1ccfc76ff17459ee29fb3ab026a1cb57b760c396 5849 5848 2017-07-04T16:41:05Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** When sustain level is reached the decay section is over ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 7a159ede9a0547e7aa1089677c4b8eb338aa73b0 5850 5849 2017-07-04T16:42:40Z JayFoxRox 2 /* Voice Processor (VP) */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** When sustain level is reached the decay section is over ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] cd2b4cb4e6dd71bd426df609c94b1e785f8cf271 5851 5850 2017-07-04T20:30:06Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate sections of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** When sustain level is reached the decay section is over ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 3f0c767c718b691520ffb21c229628777bbe4927 5852 5851 2017-07-04T20:41:32Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate segments of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** The best approximation I could come up with so far is: <code>255*pow(0.99988799,(DECAYRATE*16-COUNT)*4096/DECAYRATE)</code>. ** When the output level reaches the sustain level the decay section is over (In my example above, this happens when the output level is less than 0.2 away from the sustain level; so if sustain is 0, the voice would switch to the sustain segment when a value below 0.2 is reached) ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] be3ff82c2715361f32287d3a77c243d9e8423db6 5853 5852 2017-07-04T20:45:23Z JayFoxRox 2 /* Envelopes */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate segments of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** The best approximation I could come up with so far is: <code>255*pow(0.99988799,(DECAYRATE*16-COUNT)*4096/DECAYRATE)</code>. ** When the output level (not LVL!) reaches the sustain level the decay section is over (In my example above, this happens when the output level is less than 0.2 away from the sustain level; so if sustain is 0, the voice would switch to the sustain segment when a value below 0.2 is reached) ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] ba6f1309686e3fb00c5a3cc8c4bf7ad4c4528b29 5859 5853 2017-07-05T16:37:49Z JayFoxRox 2 /* Usage in DirectSound */ wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate segments of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** The best approximation I could come up with so far is: <code>255*pow(0.99988799,(DECAYRATE*16-COUNT)*4096/DECAYRATE)</code>. ** When the output level (not LVL!) reaches the sustain level the decay section is over (In my example above, this happens when the output level is less than 0.2 away from the sustain level; so if sustain is 0, the voice would switch to the sustain segment when a value below 0.2 is reached) ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound APIs. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] 073387540aea42478d50d89bbe89354a727c0046 0 3672 5854 5723 2017-07-05T08:01:57Z KaosEngineer 2482 Hex goes to F not 9 just a little correction 0x00 - 0x7F instead of 0x79 for unknown address range wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x00000007F Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 0dedc79b87028a0e8473c363a6ca78bdc1186dfe 5855 5854 2017-07-05T08:04:59Z KaosEngineer 2482 8 nibbles instead of 9 for 0x0000007F Unknown region address range wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000-0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash]]. The BIOS image is actually 256KiB, duplicated 4 times to fill the 1MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x0000007F Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 216f130de0965fea4afd3131b0a55985a1a6867b 0 3670 5856 5727 2017-07-05T08:11:41Z KaosEngineer 2482 /* MCPX 1.0 */ typo BL2 change to 2BL wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. For 1.1 Microsoft switched to a TEA algorithm. The code on the chips is largely the same, but for those two differences{{citation needed}}. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[Exploits#MCPX|MCPX exploits]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the 2BL from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. Microsoft implemented a TEA algorithm to create a hash of the FBL and if that was correct, it would jump to 0xffffd400. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xqemu-tools/blob/master/disassemble-mcpx.sh disassemble-mcpx.sh: A bash-script to disassemble/annotate MCPX 1.0 dumps] 3b3548ce7ae8626a271b240fbc48e1bda82cdece 5857 5856 2017-07-05T08:14:53Z KaosEngineer 2482 /* MCPX 1.1 */ typo FBL to 2BL "...to create a hash of the FBL and if that was correct..." and jump address lower to upper case HEX. wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. For 1.1 Microsoft switched to a TEA algorithm. The code on the chips is largely the same, but for those two differences{{citation needed}}. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[Exploits#MCPX|MCPX exploits]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the 2BL from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. Microsoft implemented a TEA algorithm to create a hash of the FBL and if that was correct, it would jump to 0xFFFFD400. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xqemu-tools/blob/master/disassemble-mcpx.sh disassemble-mcpx.sh: A bash-script to disassemble/annotate MCPX 1.0 dumps] ececccb1e6d7abbbdd132227cb60fe286f57d811 5858 5857 2017-07-05T10:41:48Z JayFoxRox 2 /* References */ wikitext text/x-wiki The purpose of the MCPX ROM is to setup the GPT table, enter 32 bit mode, Enable caching, decrypt the second bootloader (2BL) and then transfer control over to it. It has a fair few things to do, so also contains an interpreter to read instructions from the BIOS (known as xcodes). There are two known versions of the MCPX ROM, 1.0 and 1.1. 1.0 was found in the 1.0 Xbox and used an RC4 algorithm to decrypt the 2BL. For 1.1 Microsoft switched to a TEA algorithm. The code on the chips is largely the same, but for those two differences{{citation needed}}. == Dumping the MCPX ROM == This is no mean feat. In the event of failure, or shortly after the 2BL execution has started, the Xbox executes the following codes: <pre> mov eax,0x80000880 mov dx,0xcf8 out dx,eax </pre> This turns off the MCPX ROM, making it invisible to anything trying to read it. See [[Exploits#MCPX|MCPX exploits]] for more details. == MCPX Common == As mentioned, the MCPX chips are largely the same. When the Xbox is powered on, the BIOS is loaded to the top 16 MB of memory (See [BIOS] for more details), and the MCPX ROM overlays the last 512 bytes of that memory. The Reset Vector tells the CPU to start executing code from 0xFFFFFFF0 (well, 0xFFFF:FFF0 due to being in 16 bit mode, but that is beyond the scope of this article). The first thing it does is setup the memory to consist of a 4GB continuous area, and then activates 32 bit mode. Starts executing code from BIOS (starting at 0xFF000080) using the [xcode interpreter]. Next it initialises the MTRR, enables caching, and then things become different. == MCPX 1.0 == The 1.0 ROM runs an RC4 algorithm to decrypt the 2BL from flash (starting at 0xFFFF9E00) and load the unencrypted 2BL to memory (0x90000). It checks the signature of the decrypted 2BL and if it is correct, starts executing code at 0x90000. Otherwise it errors. == MCPX 1.1 == Because of the flaws of the previous method, Microsoft changed the way the 2BL was decrypted. Microsoft implemented a TEA algorithm to create a hash of the FBL and if that was correct, it would jump to 0xFFFFD400. This isn't in Memory, but rather in the BIOS. Otherwise it would error. == Error Handling == The MCPX turns itself off when there is an error and then jumps to 0x000001FA. This is technically in the BIOS (there is no MCPX to read from any more), but the code is still relevant. It pretty much just makes the LEDs flash and hang. == See Also == * [[MCPX HLE]] == References == * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Xbox Boot ROM] * [https://github.com/JayFoxRox/xbox-tools/ mcpx-tool: A bash-script to disassemble/annotate MCPX dumps] fd243799017141e581f1709a28111a56a6aed004 3 3809 5860 2017-07-09T08:59:18Z KaosEngineer 2482 Hard Drive Contents reformat presentation as there are a multitude of versions. wikitext text/x-wiki Hard Drive Contents page. Should this set of pages be formatted to have a main page that lists the various versions of Xbox dashboards as there are many. The final 5960 and a lot of previous minor and major updates from the initial release on Xbox v1.0's. I've found a list of versions at two different web sites but the content is not listed for all the HDD files. 1. http://codeasm.com/xbox/Kernel_Dash_versions.htm 2. http://toogam.bespin.org/xboxmod/site/versions.htm Still looking for archives of all the various versions. A complete list of all files listed for each dashboard version instead of one with all the differences. The main page would list all the major/minor releases of dashboards that a user can select to see the full contents of each version. 9f488c9877a67b231b7bb31057ba7d7a80066298 5861 5860 2017-07-09T09:17:11Z KaosEngineer 2482 wikitext text/x-wiki Hard Drive Contents page. Should this set of pages be formatted to have a main page that lists the various versions of Xbox dashboards as there are many. The final 5960 and a lot of previous minor and major updates from the initial release on Xbox v1.0's. I've found a list of versions at two different web sites but the content is not listed for all the HDD files. 1. http://codeasm.com/xbox/Kernel_Dash_versions.htm 2. http://toogam.bespin.org/xboxmod/site/versions.htm `Dashboard Versions 3944 (referenced) I think this version number may not be displayed on the System Info screen under the Settings option of the dashboard's main menu. 4034 (referenced) 4817 (referenced) 1.00.4920.01 revision 10027100 (referenced) Contains a "C:\xboxdashdata.10027100" directory Known to be bundled with an Xbox using 4817 kernel 4920 revision 1012a700 (referenced) Contains a "C:\xboxdashdata.1012a700" directory Bundled with Slayer's EvoX Auto-Installer v2.5 CD which is just over 100MB large. 1.00.4960.01 w/ 17cdc100 directory Contains a "C:\xboxdashdata.1012a700" directory Obtained by using Dash 4920 revision 10027100 and getting an "Xbox Live!" update. The dash was updated to this version and a dialog box said the system needed to restart to obtain the latest dashboard, and then I rebooted and saw this instead of pushing OK in the dialog box and continuing to update. The following files were different: The C:\xboxdashdata.1012a700 was renamed to C:\17cdc100 xboxdash.xbe was different (slightly larger) Files under C:\xodash\ were updated, including the two XBE files. None of the XBE files were dated later than August of 2003, even though I downloaded the files later. Sorry, this isn't a salvation for Kernel 5713 users. 1.00.5659.03 revision 17F14D00 I believe this came from updating using Ninja Gaiden. 1.00.5659.03 revision 17e4cd00 (referenced) Sealed the security breaches that let old font hacks and audio hacks work. (All newer versions also will not work with the old hacks.) 5960 (referenced) sylver77 has concluded that dashboard 4627 does not exist which is why it is never tested in any of the homebrew software. I have seen references to an XDK dashboard version 4627, so I suppose the official XDK developers have some sort of thing called the "XDK Dashboard". Some/all of these dashboard versions were simply taken from the MS Dashboard DVD Region Free Patch compatibility list. ` Still looking for archives of all the various versions. A complete list of all files listed for each dashboard version instead of one with all the differences. The main page would list all the major/minor releases of dashboards that a user can select to see the full contents of each version. 5c8091c46d96d5c029b17d1c15876abe93de8a97 5862 5861 2017-07-09T09:18:01Z KaosEngineer 2482 wikitext text/x-wiki Hard Drive Contents page. Should this set of pages be formatted to have a main page that lists the various versions of Xbox dashboards as there are many. The final 5960 and a lot of previous minor and major updates from the initial release on Xbox v1.0's. I've found a list of versions at two different web sites but the content is not listed for all the HDD files. 1. http://codeasm.com/xbox/Kernel_Dash_versions.htm 2. http://toogam.bespin.org/xboxmod/site/versions.htm `Dashboard Versions from source 2: 3944 (referenced) I think this version number may not be displayed on the System Info screen under the Settings option of the dashboard's main menu. 4034 (referenced) 4817 (referenced) 1.00.4920.01 revision 10027100 (referenced) Contains a "C:\xboxdashdata.10027100" directory Known to be bundled with an Xbox using 4817 kernel 4920 revision 1012a700 (referenced) Contains a "C:\xboxdashdata.1012a700" directory Bundled with Slayer's EvoX Auto-Installer v2.5 CD which is just over 100MB large. 1.00.4960.01 w/ 17cdc100 directory Contains a "C:\xboxdashdata.1012a700" directory Obtained by using Dash 4920 revision 10027100 and getting an "Xbox Live!" update. The dash was updated to this version and a dialog box said the system needed to restart to obtain the latest dashboard, and then I rebooted and saw this instead of pushing OK in the dialog box and continuing to update. The following files were different: The C:\xboxdashdata.1012a700 was renamed to C:\17cdc100 xboxdash.xbe was different (slightly larger) Files under C:\xodash\ were updated, including the two XBE files. None of the XBE files were dated later than August of 2003, even though I downloaded the files later. Sorry, this isn't a salvation for Kernel 5713 users. 1.00.5659.03 revision 17F14D00 I believe this came from updating using Ninja Gaiden. 1.00.5659.03 revision 17e4cd00 (referenced) Sealed the security breaches that let old font hacks and audio hacks work. (All newer versions also will not work with the old hacks.) 5960 (referenced) sylver77 has concluded that dashboard 4627 does not exist which is why it is never tested in any of the homebrew software. I have seen references to an XDK dashboard version 4627, so I suppose the official XDK developers have some sort of thing called the "XDK Dashboard". Some/all of these dashboard versions were simply taken from the MS Dashboard DVD Region Free Patch compatibility list. ` Still looking for archives of all the various versions. A complete list of all files listed for each dashboard version instead of one with all the differences. The main page would list all the major/minor releases of dashboards that a user can select to see the full contents of each version. cb62b0ac20c4673571c08d64ee8d44b2858dee91 5863 5862 2017-07-09T09:31:27Z KaosEngineer 2482 wikitext text/x-wiki Hard Drive Contents page. Should this set of pages be formatted to have a main page that lists the various versions of Xbox dashboards as there are many. The final 5960 and a lot of previous minor and major updates from the initial release on Xbox v1.0's. I've found a list of versions at two different web sites but the content is not listed for all the HDD files. 1. http://codeasm.com/xbox/Kernel_Dash_versions.htm 2. http://toogam.bespin.org/xboxmod/site/versions.htm ```Dashboard Versions from source 2: (all but 1 referenced links were on www.xbox-scene.com) 3944 (referenced) I think this version number may not be displayed on the System Info screen under the Settings option of the dashboard's main menu. 4034 (referenced) 4817 (referenced) 1.00.4920.01 revision 10027100 (referenced) Contains a "C:\xboxdashdata.10027100" directory Known to be bundled with an Xbox using 4817 kernel 4920 revision 1012a700 (referenced) Contains a "C:\xboxdashdata.1012a700" directory Bundled with Slayer's EvoX Auto-Installer v2.5 CD which is just over 100MB large. 1.00.4960.01 w/ 17cdc100 directory Contains a "C:\xboxdashdata.1012a700" directory Obtained by using Dash 4920 revision 10027100 and getting an "Xbox Live!" update. The dash was updated to this version and a dialog box said the system needed to restart to obtain the latest dashboard, and then I rebooted and saw this instead of pushing OK in the dialog box and continuing to update. The following files were different: The C:\xboxdashdata.1012a700 was renamed to C:\17cdc100 xboxdash.xbe was different (slightly larger) Files under C:\xodash\ were updated, including the two XBE files. None of the XBE files were dated later than August of 2003, even though I downloaded the files later. Sorry, this isn't a salvation for Kernel 5713 users. 1.00.5659.03 revision 17F14D00 I believe this came from updating using Ninja Gaiden. 1.00.5659.03 revision 17e4cd00 (referenced) Sealed the security breaches that let old font hacks and audio hacks work. (All newer versions also will not work with the old hacks.) 5960 (referenced) sylver77 has concluded that dashboard 4627 does not exist which is why it is never tested in any of the homebrew software. I have seen references to an XDK dashboard version 4627, so I suppose the official XDK developers have some sort of thing called the "XDK Dashboard". Some/all of these dashboard versions were simply taken from the MS Dashboard DVD Region Free Patch compatibility list. ` Still looking for archives of all the various versions. A complete list of all files listed for each dashboard version instead of one with all the differences. The main page would list all the major/minor releases of dashboards that a user can select to see the full contents of each version. 4e23960db9b0f9ac1b4dc845ffce23a243f17748 5864 5863 2017-07-09T09:42:43Z KaosEngineer 2482 Converted copied data from source web to markdown via MS Word paste as the links were lost in direct paste to wiki. wikitext text/x-wiki Hard Drive Contents page. Should this set of pages be formatted to have a main page that lists the various versions of Xbox dashboards as there are many. The final 5960 and a lot of previous minor and major updates from the initial release on Xbox v1.0's. I've found a list of versions at two different web sites but the content is not listed for all the HDD files. 1. http://codeasm.com/xbox/Kernel_Dash_versions.htm 2. http://toogam.bespin.org/xboxmod/site/versions.htm Dashboard Versions - 3944 ([referenced](http://www.xbox-scene.org/tools/tools.php?page=xipxap#newsitemEpykEEFEAZZwfWLZRF)) - I think this version number may not be displayed on the System Info screen under the Settings option of the dashboard's main menu. - 4034 ([referenced](http://www.xbox-scene.org/tools/tools.php?page=xipxap#newsitemEpykEEFEAZZwfWLZRF)) - 4817 ([referenced](http://www.xbox-scene.org/tools/tools.php?page=xipxap#newsitemEpykEEFEAZZwfWLZRF)) - 1.00.4920.01 revision 10027100 ([referenced](http://www.xbox-scene.org/tools/tools.php?page=xipxap#newsitemEpykEEFEAZZwfWLZRF)) - Contains a "C:\\xboxdashdata.10027100" directory - Known to be bundled with an Xbox using 4817 kernel - 4920 revision 1012a700 ([referenced](http://www.xbox-scene.org/tools/tools.php?page=xipxap#newsitemEpykEEFEAZZwfWLZRF)) - Contains a "C:\\xboxdashdata.1012a700" directory - Bundled with [Slayer's EvoX Auto-Installer v2.5](http://www.xboxstation.com/modules.php?name=News&file=article&sid=82) CD which is just over 100MB large. - 1.00.4960.01 w/ 17cdc100 directory - Contains a "C:\\xboxdashdata.1012a700" directory - Obtained by using Dash 4920 revision 10027100 and getting an "Xbox Live!" update. The dash was updated to this version and a dialog box said the system needed to restart to obtain the latest dashboard, and then I rebooted and saw this instead of pushing OK in the dialog box and continuing to update. The following files were different: - The C:\\xboxdashdata.1012a700 was renamed to C:\\17cdc100 - xboxdash.xbe was different (slightly larger) - Files under C:\\xodash\\ were updated, including the two XBE files. - None of the XBE files were dated later than August of 2003, even though I downloaded the files later. Sorry, this isn't a salvation for Kernel 5713 users. - 1.00.5659.03 revision 17F14D00 - I believe this came from updating using Ninja Gaiden. - 1.00.5659.03 revision 17e4cd00 ([referenced](http://www.xbox-scene.org/tools/tools.php?page=xipxap#newsitemEpykEEFEAZZwfWLZRF)) - Sealed the security breaches that let old font hacks and audio hacks work. (All newer versions also will not work with the old hacks.) - 5960 ([referenced](http://forums.xbox-scene.com/index.php?showtopic=227528)) - [sylver77 has concluded that dashboard 4627 does not exist](http://forums.xbox-scene.com/index.php?act=ST&f=40&t=96118) which is why it is never tested in any of the homebrew software. I have seen references to an XDK dashboard version 4627, so I suppose the official XDK developers have some sort of thing called the "XDK Dashboard". - Some/all of these dashboard versions were simply taken from the [MS Dashboard DVD Region Free Patch compatibility list](http://www.xbox-scene.org/tools/tools.php?page=xipxap#newsitemEpykEEFEAZZwfWLZRF). (Word to Markdown plugin writage-1.11.msi from http://www.writage.com/) ad23ded45ab81f034fc63d7ca6ee4c3b87e90359 0 3703 5865 5713 2017-07-09T17:13:07Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |HLE |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |Unknown |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |Dead |Unknown |{{No}} |[https://github.com/monocasa/xbvm XBVM] | | |Windows | | |- |Dead | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |LLE/HLE Hybrid |{{No}} |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |- |Maintained |LLE/HLE Hybrid{{citation needed}} |{{No}} |[[Xbox One Backward Compatibility]] |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 6e5253652fb6d989c47a66cf2ef14b9d6413b415 5866 5865 2017-07-09T17:34:14Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |Maintained |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |Maintained |HLE |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |Dead |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |Dead |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |Unknown |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |Unknown |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |Unknown |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |Unknown |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |Dead |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |Unknown |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |Dead |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |Unknown |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |Unknown |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |Unknown |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |Maintained |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |Dead |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Windows | | |- |Dead | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |Dead |LLE/HLE Hybrid |{{No}} |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |- |Maintained |LLE/HLE Hybrid{{citation needed}} |{{No}} |[[Xbox One Backward Compatibility]] |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 104051e87019f60002c8a058aeec7fdc25cd6144 5874 5866 2017-07-13T15:22:31Z DaveX 2487 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Windows | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[[Xbox 360 Backward Compatibility]] | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |[[Xbox One Backward Compatibility]] |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] eabe4faf9126dcc805af9aca6ddc718411f38269 10 3813 5870 2017-07-13T15:20:25Z DaveX 2487 Created page with "<noinclude>{| class="wikitable" |- |</noinclude>style="background:#CFCFCF;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|&#x2714; Unk..." wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#CFCFCF;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|&#x2714; Unknown}}}<noinclude> |} {{documentation}} </noinclude> d6e8d6473a99a599d670f5912efcb243fac25b37 5890 5870 2017-07-16T13:12:08Z DaveX 2487 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#CFCFCF;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|Unknown}}}<noinclude> |} {{documentation}} </noinclude> 62367fab6d428750ff543ac66d5200a64d2b1afe 1 3815 5875 2017-07-13T22:22:54Z JayFoxRox 2 /* Use of the word "BIOS" is misleading */ new section wikitext text/x-wiki == Use of the word "BIOS" is misleading == The article speaks about "BIOS" which is not very well defined term for Xbox. It could very well be interpreted that it refers to the MCPX ROM. We should create links to http://xboxdevwiki.net/Flash and make very clear which parts can be dumped and which parts can not be dumped Maybe it's safer to just call this "Flash dumping" instead and just mention that some people call this "BIOS dumping" --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 15:22, 13 July 2017 (PDT) 40c5ec1b9a65bdddb5fe52ee4746e2adb4954cfa 0 9 5876 5069 2017-07-13T23:45:52Z JayFoxRox 2 wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- !Index !GL Name !D3D Name !Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- !Meaning !Word !Offset (bits) !Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- !Value !Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} == Related links == - [https://github.com/envytools/envytools/blob/master/nvhw/pgraph_celsius_xfrm.c Code which appears to implement bit-accurate emulation of some instructions{{FIXME|reason=Unconfirmed, needs testing}}] 7c491ef33d50df4002c4912500c448e2ec519834 5877 5876 2017-07-13T23:46:11Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- !Index !GL Name !D3D Name !Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- !Meaning !Word !Offset (bits) !Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- !Value !Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} == Related links == - [https://github.com/envytools/envytools/blob/master/nvhw/pgraph_celsius_xfrm.c Code which appears to implement bit-accurate emulation of some instructions]{{FIXME|reason=Unconfirmed, needs testing}} 9fc357ac6be3bfd345a856315ee51ceacf7dc20d 5878 5877 2017-07-13T23:46:38Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- !Index !GL Name !D3D Name !Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- !Meaning !Word !Offset (bits) !Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- !Value !Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} == Related links == * [https://github.com/envytools/envytools/blob/master/nvhw/pgraph_celsius_xfrm.c Code which appears to implement bit-accurate emulation of some instructions]{{FIXME|reason=Unconfirmed, needs testing}} 6cdcadf23dbc18b562f38cd36482e56abcc39386 0 3816 5879 2017-07-14T03:29:05Z JayFoxRox 2 Created page with "{{game}} === Related links === * https://blogs.msdn.microsoft.com/shawnhar/2009/06/03/motogp-curved-surfaces/ * http://www.gamasutra.com/view/feature/2987/tool_postmortem_cli..." wikitext text/x-wiki {{game}} === Related links === * https://blogs.msdn.microsoft.com/shawnhar/2009/06/03/motogp-curved-surfaces/ * http://www.gamasutra.com/view/feature/2987/tool_postmortem_climax_brightons_.php a37bd7bb6ef6ec4553c153a1abbd17f2b0d895b2 5880 5879 2017-07-14T22:59:55Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki {{game}} === Related links === * http://www.gamasutra.com/view/feature/2987/tool_postmortem_climax_brightons_.php * http://www.shawnhargreaves.com/motogp/ * [https://blogs.msdn.microsoft.com/shawnhar/ Blog with many MotoGP posts, most from 2008-2010.] Posts marked explicitly as MotoGP (there are others too about MotoGP too): ** https://blogs.msdn.microsoft.com/shawnhar/2009/12/30/motogp-ai-coordinate-systems/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/05/motogp-lod-selection/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/04/motogp-mind-the-gap/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/03/motogp-curved-surfaces/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/02/motogp-the-price-is-right/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/05/05/motogp-debug-cameras/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/05/04/motogp-run-slow-step-step-stop/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/05/01/motogp-tweakables/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/10/motogp-lightning-flashes/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/01/motogp-wet-weather-effects/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/02/motogp-cloudy-with-poor-visibility/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/07/motogp-spray-and-wakes/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/17/motogp-road-reflections/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/13/motogp-raindrops-keep-falling-on-my-lens/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/03/20/motogp-replays/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/03/13/motogp-skidmarks/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/03/02/motogp-custom-paint-jobs/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/02/27/motogp-localization/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/02/17/motogp-particles/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/02/04/motogp-the-power-of-blu-tack/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/01/30/motogp-crash-camera/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/01/29/motogp-bike-damage/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/01/29/motogp-the-sun/ 0f218fccfa0eaa55d038c80701b869498bb8ec2f 5881 5880 2017-07-15T12:56:20Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki {{game}} === Related links === * http://www.gamasutra.com/view/feature/2987/tool_postmortem_climax_brightons_.php * http://www.shawnhargreaves.com/motogp/ * [https://blogs.msdn.microsoft.com/shawnhar/ Blog with many MotoGP posts, most from 2008-2010.] Posts marked explicitly as MotoGP (there are others about MotoGP too): ** https://blogs.msdn.microsoft.com/shawnhar/2009/12/30/motogp-ai-coordinate-systems/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/05/motogp-lod-selection/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/04/motogp-mind-the-gap/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/03/motogp-curved-surfaces/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/06/02/motogp-the-price-is-right/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/05/05/motogp-debug-cameras/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/05/04/motogp-run-slow-step-step-stop/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/05/01/motogp-tweakables/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/10/motogp-lightning-flashes/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/01/motogp-wet-weather-effects/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/02/motogp-cloudy-with-poor-visibility/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/07/motogp-spray-and-wakes/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/17/motogp-road-reflections/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/04/13/motogp-raindrops-keep-falling-on-my-lens/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/03/20/motogp-replays/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/03/13/motogp-skidmarks/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/03/02/motogp-custom-paint-jobs/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/02/27/motogp-localization/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/02/17/motogp-particles/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/02/04/motogp-the-power-of-blu-tack/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/01/30/motogp-crash-camera/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/01/29/motogp-bike-damage/ ** https://blogs.msdn.microsoft.com/shawnhar/2009/01/29/motogp-the-sun/ 42c766b0610e8e7a58df435bc3e2e548f20dc00c 0 3817 5882 2017-07-15T18:26:46Z JayFoxRox 2 Created page with "Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{F..." wikitext text/x-wiki Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === {| class="wikitable" ! Pin || Description |- | 1 || Audio Right |- | 2 || Audio Right GND |- | 3 || SPDIF Digital Audio |- | 4 || V-Sync (VGA Mode) |- | 5 || Mode GND |- | 6 || Mode GND |- | 7 || Mode GND |- | 8 || GND |- | 9 || Variable |- | 10 || Pin 9 GND |- | 11 || Variable |- | 12 || Pin 11 GND |} {| class="wikitable" ! Pin || Description |- | 13 || Vcc |- | 14 || Audio Left |- | 15 || Audio Left GND |- | 16 || H Sync (VGA Mode) |- | 17 || Mode Select 1 |- | 18 || Mode Select 2 |- | 19 || Mode Select 3 |- | 20 || +12V |- | 21 || Pin 22 GND |- | 22 || Variable |- | 23 || Pin 24 GND |- | 24 || Variable |} {{FIXME|reason=Show tables side by side?}} == Supported signals / AV cables == Below is a table which lists all known officially AV cables released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || Official Microsoft product name || Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || Advanced SCART Cable || SCART (15 kHz RGB) || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || High Definition AV Pack || Component || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || ''Not officially available / supported'' || VGA (31 kHz RGB) || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || RF Adapter || NTSC Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || Advanced AV Pack || PAL Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || ''Not officially available / supported'' || PAL/Secam Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || Standard AV Cable || NTSC Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || ''No cable connected'' || - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation-needed|reason=Are these still connected to Vcc maybe?}} {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm List of signals and pinout] 1b89800324bc5bd2592d21bae3748faa57c79605 5884 5882 2017-07-15T18:29:54Z JayFoxRox 2 /* Supported signals / AV cables */ wikitext text/x-wiki Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === {| class="wikitable" ! Pin || Description |- | 1 || Audio Right |- | 2 || Audio Right GND |- | 3 || SPDIF Digital Audio |- | 4 || V-Sync (VGA Mode) |- | 5 || Mode GND |- | 6 || Mode GND |- | 7 || Mode GND |- | 8 || GND |- | 9 || Variable |- | 10 || Pin 9 GND |- | 11 || Variable |- | 12 || Pin 11 GND |} {| class="wikitable" ! Pin || Description |- | 13 || Vcc |- | 14 || Audio Left |- | 15 || Audio Left GND |- | 16 || H Sync (VGA Mode) |- | 17 || Mode Select 1 |- | 18 || Mode Select 2 |- | 19 || Mode Select 3 |- | 20 || +12V |- | 21 || Pin 22 GND |- | 22 || Variable |- | 23 || Pin 24 GND |- | 24 || Variable |} {{FIXME|reason=Show tables side by side?}} == Supported signals / AV cables == Below is a table which lists all known officially AV cables released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || SMC Constant || Official Microsoft product name || Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || Advanced SCART Cable || SCART (15 kHz RGB) || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || High Definition AV Pack || Component || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || ''Not officially available / supported'' || VGA (31 kHz RGB) || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || RF Adapter || NTSC Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || Advanced AV Pack || PAL Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || ''Not officially available / supported'' || PAL/Secam Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || Standard AV Cable || NTSC Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || ''No cable connected'' || - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation-needed|reason=Are these still connected to Vcc maybe?}} {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm List of signals and pinout] ace6817bf67010bcc9a47407e02bb0cb16b4e444 5885 5884 2017-07-15T19:37:21Z JayFoxRox 2 /* Supported signals / AV cables */ wikitext text/x-wiki Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === {| class="wikitable" ! Pin || Description |- | 1 || Audio Right |- | 2 || Audio Right GND |- | 3 || SPDIF Digital Audio |- | 4 || V-Sync (VGA Mode) |- | 5 || Mode GND |- | 6 || Mode GND |- | 7 || Mode GND |- | 8 || GND |- | 9 || Variable |- | 10 || Pin 9 GND |- | 11 || Variable |- | 12 || Pin 11 GND |} {| class="wikitable" ! Pin || Description |- | 13 || Vcc |- | 14 || Audio Left |- | 15 || Audio Left GND |- | 16 || H Sync (VGA Mode) |- | 17 || Mode Select 1 |- | 18 || Mode Select 2 |- | 19 || Mode Select 3 |- | 20 || +12V |- | 21 || Pin 22 GND |- | 22 || Variable |- | 23 || Pin 24 GND |- | 24 || Variable |} {{FIXME|reason=Show tables side by side?}} == Supported signals / AV cables == Below is a table which lists all known officially AV cables released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || SMC Constant || Region || Official Microsoft product name ! Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || PAL / SECAM || ''Not officially available / supported'' | RF Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm List of signals and pinout] 9347f49cd491001c4ec970afa2fbf36b0dfda3c6 5886 5885 2017-07-15T19:44:47Z JayFoxRox 2 /* Supported signals / AV cables */ wikitext text/x-wiki Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === {| class="wikitable" ! Pin || Description |- | 1 || Audio Right |- | 2 || Audio Right GND |- | 3 || SPDIF Digital Audio |- | 4 || V-Sync (VGA Mode) |- | 5 || Mode GND |- | 6 || Mode GND |- | 7 || Mode GND |- | 8 || GND |- | 9 || Variable |- | 10 || Pin 9 GND |- | 11 || Variable |- | 12 || Pin 11 GND |} {| class="wikitable" ! Pin || Description |- | 13 || Vcc |- | 14 || Audio Left |- | 15 || Audio Left GND |- | 16 || H Sync (VGA Mode) |- | 17 || Mode Select 1 |- | 18 || Mode Select 2 |- | 19 || Mode Select 3 |- | 20 || +12V |- | 21 || Pin 22 GND |- | 22 || Variable |- | 23 || Pin 24 GND |- | 24 || Variable |} {{FIXME|reason=Show tables side by side?}} == Supported signals / AV cables == Below is a table which lists all known officially AV cables released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || SMC Constant || Region || Official Microsoft product name ! Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || PAL / SECAM || ''Not officially available / supported'' | RF Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} The region only identifies which territory the cable was originally available / intended for. The kernel still might support other video-standards (PAL / NTSC / SECAM) using the same cable. {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm List of signals and pinout] 002703e3b520774c5948fe66d8192fd0705a6db4 5887 5886 2017-07-15T20:03:58Z JayFoxRox 2 /* Supported signals / AV cables */ wikitext text/x-wiki Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === {| class="wikitable" ! Pin || Description |- | 1 || Audio Right |- | 2 || Audio Right GND |- | 3 || SPDIF Digital Audio |- | 4 || V-Sync (VGA Mode) |- | 5 || Mode GND |- | 6 || Mode GND |- | 7 || Mode GND |- | 8 || GND |- | 9 || Variable |- | 10 || Pin 9 GND |- | 11 || Variable |- | 12 || Pin 11 GND |} {| class="wikitable" ! Pin || Description |- | 13 || Vcc |- | 14 || Audio Left |- | 15 || Audio Left GND |- | 16 || H Sync (VGA Mode) |- | 17 || Mode Select 1 |- | 18 || Mode Select 2 |- | 19 || Mode Select 3 |- | 20 || +12V |- | 21 || Pin 22 GND |- | 22 || Variable |- | 23 || Pin 24 GND |- | 24 || Variable |} {{FIXME|reason=Show tables side by side?}} == Supported signals / AV cables == Below is a table which lists all known officially AV cables released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || SMC Constant || Region || Official Microsoft product name ! Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || PAL / SECAM || ''Not officially available / supported'' | RF Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} The region only identifies which territory the cable was originally available / intended for. The kernel still might support other video-standards (NTSC / PAL / SECAM) using the same cable. {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm List of signals and pinout] 1094e010a43610fc754e4f2a1923a39c46cf3954 0 1 5883 5732 2017-07-15T18:27:20Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[DVD-IR Internals]] * [[Power Supply]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] bf2816a93d327b1cf9ae823e73efca58b185d092 0 3695 5888 5189 2017-07-16T01:13:56Z JayFoxRox 2 wikitext text/x-wiki xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes[https://github.com/espes/xqemu/commit/d823f5802e7c4c84163aea8b4d924044951c705e]. The official homepage can be found at [http://xqemu.com xqemu.com] == Compatiblity list == The following list was almost entirely created by [https://www.youtube.com/user/pcmaker2 pcmaker (also known as John Godgames)] around 2015. Meaning of the status fields: {| class="wikitable" !Status !Meaning |- |Nothing |Not showing anything due to error |- |Intro |Shows something as Intro / Menu |- |Ingame |Ingame (Graphical bugs) |- |Playable* |Partially playable or expected to be fully playable but not tested completly yet |- |Playable |Partially playable / Fully playable |} {{:XQEMU/Compatibility List}} == XQEMU-JFR == XQEMU-JFR is a now defunct fork of XQEMU by JayFoxRox. Most of the changes have since been integrated back into the official version of XQEMU. The archived version can be found at https://github.com/JayFoxRox/xqemu-jfr eb67875379c72e82071579458c227874724cb02b 0 3818 5891 2017-07-16T13:23:59Z JayFoxRox 2 Created page with "It's a delta electronics power{{citation needed}} == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |..." wikitext text/x-wiki It's a delta electronics power{{citation needed}} == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] cd44d23718851d560ca897d8a6a3f2938c38d03b 1 3819 5892 2017-07-16T14:04:43Z Codeasm 2480 Created page with "There are pinout pictures for some difernet xbox psu, but wich ones where actualy shipped from MS factories? maybe they where used in refurbed xboxes? Delta is somewhat realy..." wikitext text/x-wiki There are pinout pictures for some difernet xbox psu, but wich ones where actualy shipped from MS factories? maybe they where used in refurbed xboxes? Delta is somewhat realy confirmed to be a Shipped psu for most generations but whatabout == Foxlink == Found in PSU replacement shops and pinout pages, but did they come within stock xboxes? --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 07:04, 16 July 2017 (PDT) abf72e7bf29e57c991d30bad93657b3062abeeb0 0 1 5894 5883 2017-07-16T14:32:11Z JayFoxRox 2 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[DVD-IR Internals]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] 0eeaa2250c8ad9cb2fbc875f525391fbfc5046ba 5908 5894 2017-07-16T16:13:59Z Codeasm 2480 /* Development Kits and Tools */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[DVD-IR Internals]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * Find random stuff in [[Resources]] 0c28f8406f620dc8b0b3806425f1b7b3e0a1dca4 5938 5908 2017-07-31T07:35:44Z Haxar 2485 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[DVD-IR Internals]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] db9344913150fae2bf8be13cba42e4c8614ff77f 0 3820 5895 2017-07-16T14:36:39Z JayFoxRox 2 Dummy page wikitext text/x-wiki The Super I/O board is a feature of [[Development Kits]]. The board is build around a SMSC LPC47M157 chip. A datasheet for a close relative can be found at http://datasheet.seekic.com/PdfFile/LPC/LPC47M140NC_SMSC_SMSC_Corporation.pdf The board provides the following ports: * {{FIXME|reason=someone should add this}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] 8fcff959938dae504d932f51debcf34e944bfb60 5902 5895 2017-07-16T15:20:01Z Codeasm 2480 Added some rumoured details of the serial IO board wikitext text/x-wiki The Super I/O board is a feature of [[Development Kits]]. The board is build around a SMSC LPC47M157 chip. A datasheet for a close relative can be found at http://datasheet.seekic.com/PdfFile/LPC/LPC47M140NC_SMSC_SMSC_Corporation.pdf (a working link seems to be: http://pdf-file.ic37.com/pdf1/SMSC/LPC47M140_datasheet_138298/225601/LPC47M140_datasheet.pdf) The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not the same as [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS2 mouse and keyboard{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flashrom bios (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) aa90bb7475dbb134e686ce1503f2c8081cae9fb9 5905 5902 2017-07-16T15:38:32Z JayFoxRox 2 wiki keeps a history = can just replace links + reworded wikitext text/x-wiki The Super I/O board is a feature of [[Development Kits]]. The board is build around a SMSC LPC47M157 chip. A datasheet for a close relative can be found at http://pdf-file.ic37.com/pdf1/SMSC/LPC47M140_datasheet_138298/225601/LPC47M140_datasheet.pdf The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) 08fefa9f573fa6d5c2f9766103ce2351e23e5756 0 3821 5896 2017-07-16T14:37:59Z JayFoxRox 2 Created page with "The DVD emulator is a feature of [[Development Kits]]. {{FIXME|reason=Describe the purpose}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact..." wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. {{FIXME|reason=Describe the purpose}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} 5fdffe4c59b6e4c734b01b893e5d9e38f9392bb2 5907 5896 2017-07-16T16:12:11Z Codeasm 2480 first draft of text wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding witch files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and posibly potencial faults that could occur. The Hardware required for this where a Developement kit (with the DVD emulation board) a sort of scsi cable and a XDK-Raptor card.{{citation needed}} The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. For development it wasnt the fastest way to get an executable to the xbox, and for homebrew its pretty useless.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} b096f276d5de3ed0cd72fb509295c596e9683ef4 1 3819 5897 5892 2017-07-16T14:56:26Z Codeasm 2480 /* Foxlink */ wikitext text/x-wiki There are pinout pictures for some difernet xbox psu, but wich ones where actualy shipped from MS factories? maybe they where used in refurbed xboxes? Delta is somewhat realy confirmed to be a Shipped psu for most generations but whatabout == Foxlink == Found in PSU replacement shops and pinout pages, but did they come within stock xboxes? Found 3 in my xboxes that where secondhand, too often for being just replacements I gues. ''Model: FTPS-0002'' 96Watt a Rev B, and Rev H --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 07:04, 16 July 2017 (PDT) 98191a25e9827825feb86cefbe42f8dc26c858cb 5898 5897 2017-07-16T15:01:51Z Codeasm 2480 /* Foxlink */ wikitext text/x-wiki There are pinout pictures for some difernet xbox psu, but wich ones where actualy shipped from MS factories? maybe they where used in refurbed xboxes? Delta is somewhat realy confirmed to be a Shipped psu for most generations but whatabout == Foxlink == Found in PSU replacement shops and pinout pages, but did they come within stock xboxes? Found 3 in my PAL, 220 volt xboxes that where secondhand, too often for being just replacements I gues. ''Model: FTPS-0002'' 96Watt a Rev B, and Rev H (all 3 where in 220 pal xboxes) --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 07:04, 16 July 2017 (PDT) 57f8623df96b07c54f19ef0578339de347335f92 0 3669 5899 5648 2017-07-16T15:03:43Z Codeasm 2480 wikitext text/x-wiki There are 7{{citation needed|reason=What about debug kits? mcpx revisions? RAM changes? .. should we even try to count?}}retail Xbox revisions == 1.0 == * Made in Hungary * USB controller is on a separate PCB * GPU has a fan on the heat sink * MCPX 1.0 ROM * Thomson DVD Drive * Seagate Hard Drive * Conexant [[Video Encoder]] == 1.1 == Same as 1.0, except: * Made in Hungary or Mexico * USB controller moved onto the motherboard * Fan removed from the GPU heat sink * MCPX 1.1 ROM == 1.2 == Same as 1.1, except: * Made in China * Philips DVD Drive * Western Digital Hard Drive == 1.3 == Same as 1.2, except: * Samsung DVD Drive * Seagate Hard Drive == 1.4 == Same as 1.3, except: * Western Digital Hard Drive * Focus video chip == 1.5 == Same as 1.4. Possibly never existed, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == 1.6 == Same as 1.4, except: * Made in China or Taiwan * Removed data and power lines from LPC port * Xcalibur video chip * Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] e48b6093bed8a71eeb3610834d1e6d3461bd4d49 0 3818 5900 5891 2017-07-16T15:05:24Z Obcd 2489 wikitext text/x-wiki It's a delta electronics power{{citation needed}} On a 1.0 xbox supply, there seems to be 2 types for the US 120V and EU 240V market. The marks are on the PCB with a check next to them DPSN-96-AP-1 should be the EU 240V one DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V it also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB 3V3 Standby 0.075A 3V3 4.8A 5V 13.2A 12V 1.2A A pc ATX supply needs a line pulled to GND to turn on the supply. The xbox supply needs a voltage (3V3?) on it's power on line to turn the supply on. == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] c10f00cfe1da7c8eea2abb26f1f3d5f0eb3efa53 5901 5900 2017-07-16T15:09:15Z Codeasm 2480 foxlinks love wikitext text/x-wiki It's either a delta electronics power supply or foxlink{{citation needed}} On a 1.0 xbox supply, there seems to be 2 types for the US 120V and EU 240V market. The marks are on the PCB with a check next to them DPSN-96-AP-1 should be the EU 240V one DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V it also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB 3V3 Standby 0.075A 3V3 4.8A 5V 13.2A 12V 1.2A A pc ATX supply needs a line pulled to GND to turn on the supply. The xbox supply needs a voltage (3V3?) on it's power on line to turn the supply on. == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] b055b2bdb9f80ab1db0649518f2faa1a1246f192 5903 5901 2017-07-16T15:32:42Z JayFoxRox 2 Removed sentence about PC ATX + reworded wikitext text/x-wiki It's either a delta electronics power supply or foxlink{{citation needed}} On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall?}} types for the US 120V and EU 240V market. The marks are on the PCB with a check next to them: * DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 06d18853397eae0a4a600307ac393c680ac356ec 5904 5903 2017-07-16T15:34:33Z JayFoxRox 2 Be more precise about manufacturers wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall?}} types for the US 120V and EU 240V market. The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 941fb6361e10c1783972828b3d229f7067d16e70 5925 5904 2017-07-18T13:11:18Z Codeasm 2480 Foxlink details I found, also Minebea and wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== According to an older Xbox-scene article, Foxlink powersupplies tend to have a bad powerplug connector on the back and where installed in 1.0 and 1.1 xboxes.{citation needed}{citation needed}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} === Samsung "TUSCANNY === Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 ===TUSCANY {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 32d068bac925bca3b0c9483270621fdc8c186c2e 5926 5925 2017-07-18T13:13:29Z Codeasm 2480 /* Samsung "TUSCANY */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== According to an older Xbox-scene article, Foxlink powersupplies tend to have a bad powerplug connector on the back and where installed in 1.0 and 1.1 xboxes.{citation needed}{citation needed}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} === Samsung "TUSCANy"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 ===TUSCANY {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 073ac5d247e1e9b933b43d8ee6841776028b2418 5927 5926 2017-07-18T13:13:53Z Codeasm 2480 /* Samsung "TUSCANy" */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== According to an older Xbox-scene article, Foxlink powersupplies tend to have a bad powerplug connector on the back and where installed in 1.0 and 1.1 xboxes.{citation needed}{citation needed}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 ===TUSCANY {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 51bdf7d3fb5f1061e5d9082b77e5447334a29895 5928 5927 2017-07-18T13:35:49Z Codeasm 2480 /* power cord recall */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 xboxes.{citation needed}. '''Does my console require a replacement cord?''' If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords. source: [https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7 Xbox powercord recall program faq] Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 ===TUSCANY {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] f5e3da40f52cca803bd9094c2031235ece8482ad 5929 5928 2017-07-18T13:38:44Z Codeasm 2480 /* Connector pinout */ woops, fixed me copy error wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 xboxes.{citation needed}. '''Does my console require a replacement cord?''' If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords. source: [https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7 Xbox powercord recall program faq] Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 1f15d9940d8c261279e499ee8a351610b6f0718b 5930 5929 2017-07-18T13:41:41Z Codeasm 2480 /* power cord recall */ yt wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 xboxes.{citation needed}. '''Does my console require a replacement cord?''' If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords. source: [https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7 Xbox powercord recall program faq] Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} An more in detail video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 8ffba186e6b56d70859fbec056c2c0ea0f560b04 0 3822 5906 2017-07-16T16:00:40Z Codeasm 2480 Alpha and devkits added, hope my gramar and such is fine. correct me if wrong please wikitext text/x-wiki There are a few hardware diferences and software diferences between development kits, but generaly the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are diferences internaly from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the developement kits and debugkits. Some rare boards are found with diferent MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unkown port) its been rumoured that the blocked USB port (unblocked on DVT3) on the back of Developement kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. consisting of: === Alpha I === * Intel VC820, running a prerelease Bios * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforece3 NV20 prerelease hardware? {{FIXME| What hardware was this one? or was it just the firmware that got upgraded?}} * An OPTI 82C861 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} These where then programmed by use of a recovery disk that "recovered" === Apha II === The Alpha II was a upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN{{FIXME|SL3XN for sure in true alpha?}} * Nvidia Geforce3 NV20 (64MB ram) with a Preretail firmware An supplied Recovery made the nececairy firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha/ Same hardware as a Alpha I/II, but you dont seem to need the preretail firmwares or bioses. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out suboard isnt nececairy, as VGA seems to work fine. color or diferent kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS). All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] e13007ad19a2d3c5a91c2b6be70c9d9454802e65 5940 5906 2017-08-08T15:25:24Z Codeasm 2480 /* Franken Alpha */ Kernel error solutions wikitext text/x-wiki There are a few hardware diferences and software diferences between development kits, but generaly the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are diferences internaly from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the developement kits and debugkits. Some rare boards are found with diferent MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unkown port) its been rumoured that the blocked USB port (unblocked on DVT3) on the back of Developement kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. consisting of: === Alpha I === * Intel VC820, running a prerelease Bios * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforece3 NV20 prerelease hardware? {{FIXME| What hardware was this one? or was it just the firmware that got upgraded?}} * An OPTI 82C861 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} These where then programmed by use of a recovery disk that "recovered" === Apha II === The Alpha II was a upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN{{FIXME|SL3XN for sure in true alpha?}} * Nvidia Geforce3 NV20 (64MB ram) with a Preretail firmware An supplied Recovery made the nececairy firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha/ Same hardware as a Alpha I/II, but you dont seem to need the preretail firmwares or bioses. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out suboard isnt nececairy, as VGA seems to work fine. color or diferent kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha ==== '''IDEX: hard disk not configured (status=51).''' HDD too small '''IDEX: hard disk not configured (status=ff).''' HDD on the wrong bus, put on primairy channel. (maybe wrong place on the cable itself) '''IDEX: hard disk not found (status=7f).''' HDD not connected '''MP: No video output because you are using an older video card.''' Well, insert a Geforce3 card (NV20 based) '''WRN[XNET]: EnetInitialize failed: 0x801f0001''' Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) '''[XNET]: NicExecuteActionCmdAndWait failed! WRN[XNET]: EnetInitialize failed: 0x801f0001''' Network on wrong pci lane or no screen * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for my particular motherboard == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS). All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] 24dc46c04c576bf0d664ec208acebe260dcb48f3 5941 5940 2017-08-08T16:25:32Z Codeasm 2480 /* Posible solutions on fixing a (franken) alpha */ formating wikitext text/x-wiki There are a few hardware diferences and software diferences between development kits, but generaly the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are diferences internaly from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the developement kits and debugkits. Some rare boards are found with diferent MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unkown port) its been rumoured that the blocked USB port (unblocked on DVT3) on the back of Developement kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. consisting of: === Alpha I === * Intel VC820, running a prerelease Bios * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforece3 NV20 prerelease hardware? {{FIXME| What hardware was this one? or was it just the firmware that got upgraded?}} * An OPTI 82C861 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} These where then programmed by use of a recovery disk that "recovered" === Apha II === The Alpha II was a upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN{{FIXME|SL3XN for sure in true alpha?}} * Nvidia Geforce3 NV20 (64MB ram) with a Preretail firmware An supplied Recovery made the nececairy firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha/ Same hardware as a Alpha I/II, but you dont seem to need the preretail firmwares or bioses. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out suboard isnt nececairy, as VGA seems to work fine. color or diferent kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while on purpose incorrectly installed or configured the computer. These results may vary with official parts, configs, bios or firmware. Or due to diferences in hardware. these are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primairy channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for the particular motherboard that was under test. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS). All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] f7393b75d1f21e7270182d4aeabdd5931bbfaec3 5942 5941 2017-08-08T16:48:38Z Codeasm 2480 /* Posible solutions on fixing a (franken) alpha(2) */ wikitext text/x-wiki There are a few hardware diferences and software diferences between development kits, but generaly the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are diferences internaly from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the developement kits and debugkits. Some rare boards are found with diferent MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unkown port) its been rumoured that the blocked USB port (unblocked on DVT3) on the back of Developement kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. consisting of: === Alpha I === * Intel VC820, running a prerelease Bios * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforece3 NV20 prerelease hardware? {{FIXME| What hardware was this one? or was it just the firmware that got upgraded?}} * An OPTI 82C861 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} These where then programmed by use of a recovery disk that "recovered" === Apha II === The Alpha II was a upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN{{FIXME|SL3XN for sure in true alpha?}} * Nvidia Geforce3 NV20 (64MB ram) with a Preretail firmware An supplied Recovery made the nececairy firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha/ Same hardware as a Alpha I/II, but you dont seem to need the preretail firmwares or bioses. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out suboard isnt nececairy, as VGA seems to work fine. color or diferent kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while on purpose incorrectly installed or configured the computer. These results may vary with official parts, configs, bios or firmware. Or due to diferences in hardware. these are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primairy channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for the particular motherboard that was under test. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS). All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] e2ca45ec09eb9bb098e05eb3ba9b0df8b065e268 0 3823 5909 2017-07-16T16:17:58Z Codeasm 2480 Created page with "Only enabled in debug kernels, a Xbox with serial port can be kernel debugged with windbg. only executables that have debugging switched on can be debugged over serial aswell(..." wikitext text/x-wiki Only enabled in debug kernels, a Xbox with serial port can be kernel debugged with windbg. only executables that have debugging switched on can be debugged over serial aswell(?) {{citation needed}} {FIXME| Explain with more details ;) } Xqemu emulates this serial port, wich uses a [[Super_I/O | LPC chip ]. {FIXME| some example kernel output} d1c918362b080f3b75e4e43e76ed96e7a8591456 0 3817 5910 5887 2017-07-16T16:32:51Z JayFoxRox 2 wikitext text/x-wiki Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === {| class="wikitable" ! Pin || Description |- | 1 || Audio Right |- | 2 || Audio Right GND |- | 3 || SPDIF Digital Audio |- | 4 || V-Sync (VGA Mode) |- | 5 || Mode GND |- | 6 || Mode GND |- | 7 || Mode GND |- | 8 || GND |- | 9 || Variable |- | 10 || Pin 9 GND |- | 11 || Variable |- | 12 || Pin 11 GND |} {| class="wikitable" ! Pin || Description |- | 13 || Vcc |- | 14 || Audio Left |- | 15 || Audio Left GND |- | 16 || H Sync (VGA Mode) |- | 17 || Mode Select 1 |- | 18 || Mode Select 2 |- | 19 || Mode Select 3 |- | 20 || +12V |- | 21 || Pin 22 GND |- | 22 || Variable |- | 23 || Pin 24 GND |- | 24 || Variable |} {{FIXME|reason=Show tables side by side?}} == Supported signals / AV cables == Below is a table which lists all known officially AV cables released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || SMC Constant || Region || Official Microsoft product name ! Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || - || ''Not officially available / supported'' | Unknown Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} The region only identifies which territory the cable was originally available / intended for. The kernel still might support other video-standards (NTSC / PAL / SECAM) using the same cable. {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm List of signals and pinout] c81946cc0abf59e3b61f41c5165ecd6af0f954ab 0 3683 5911 5689 2017-07-16T19:46:48Z JayFoxRox 2 Added patent link! TIL wikitext text/x-wiki This article describes the boot sequence of the Xbox. A large portion of it is patended in [https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US6907522.pdf Patent "US 6,907,522 B2"] == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8f000 to 0x850FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 6191a72131b8fb2c388d3f320760eafc3106b15f 2 3729 5912 5359 2017-07-16T20:36:41Z Codeasm 2480 wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. ecb09c6b96efae15f38bdb3d84107bca52e57b40 0 3824 5913 2017-07-16T20:42:59Z PatrickvL 2473 Created page with "Here a list of patents that might be related to the NV2A GPU for the original Xbox: * Filed 1997-11-25 by nVidia: https://www.google.com/patents/US6697063 "Rendering pipeline..." wikitext text/x-wiki Here a list of patents that might be related to the NV2A GPU for the original Xbox: * Filed 1997-11-25 by nVidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by nVidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-06-19 by nVidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader " (mentions the NV2A directly) 706d4620590b3ba5b1329470edf60f80d4808443 5914 5913 2017-07-16T20:56:23Z PatrickvL 2473 Additional patents wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by nVidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by nVidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by nVidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2001-06-19 by nVidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions the NV2A directly) * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) 58f7ca2b91fde6103896846739eb33ab48d788ec 5915 5914 2017-07-16T21:22:31Z PatrickvL 2473 Added a few more patents wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") https://www.google.com/patents/US8641525 Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.nl/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.nl/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.nl/patents/US8602897 "Extended and editable gamer profile" 16ed8b8f1619b334c9b5b74462f40a88a3e28458 5918 5915 2017-07-16T21:40:24Z PatrickvL 2473 .com, not .nl wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.com/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.com/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.com/patents/US8602897 "Extended and editable gamer profile" 7a75637fd9941228c805dbaa7ade04a1f24c1ffe 5920 5918 2017-07-17T02:34:41Z Haxar 2485 wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2003-08-21 by Friendtech: https://www.google.com/patents/US20050282621 "CPU upgrading adapter for a Microsoft XboxTM game machine" * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.com/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.com/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.com/patents/US8602897 "Extended and editable gamer profile" ddac36d1ff9f5ad3ef5d3610e1e2af6c7c7502ec 5923 5920 2017-07-18T10:34:27Z Codeasm 2480 Breakaway cable wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2003-08-21 by Friendtech: https://www.google.com/patents/US20050282621 "CPU upgrading adapter for a Microsoft XboxTM game machine" * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") * Filed 2001-04-30 by Microsoft: https://www.google.com/patents/US20020160654 "Breakaway cable connector" (filed by Microsofts attorneys) Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.com/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.com/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.com/patents/US8602897 "Extended and editable gamer profile" 1687ffdb5e77c20e99c7db1bc5ae1a0fc77213ff 5924 5923 2017-07-18T10:56:31Z Codeasm 2480 More chatpads and relation between em wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452534 "Portion of an electronic housing" (not a dupe, its the top X shape in detail) * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2003-05-09 by Microsoft: https://www.google.com/patents/US8493326 "Controller with removably attachable text input device" (an early keypad, later revered to by the 360 keypad patent) * Filed 2003-05-09 by Micorsoft: https://www.google.com/patents/US7116311 "Embedded text input " (reffered to by the 360 chatpad) * Filed 2006-07-03 by Micorsoft: https://www.google.com/patents/US7804484 "Embedded text input " (probably a corrected version of US7116311, reffered to by the 360 chatpad) * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2003-08-21 by Friendtech: https://www.google.com/patents/US20050282621 "CPU upgrading adapter for a Microsoft XboxTM game machine" * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") * Filed 2001-04-30 by Microsoft: https://www.google.com/patents/US20020160654 "Breakaway cable connector" (filed by Microsofts attorneys) Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.com/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.com/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.com/patents/US8602897 "Extended and editable gamer profile" * Filed 2007-12-07 by Microsoft: https://www.google.com/patents/US8487876 "Ergonomic hand-held text input device " (The xbox 360 chatpad, wich mentions the OG textpad US8493326 and US7116311 ;) ) 67b8fb7f7cbad192388779b0f08acd45335abdc8 5939 5924 2017-08-01T14:01:32Z Codeasm 2480 Baretta prototype chatpad wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452534 "Portion of an electronic housing" (not a dupe, its the top X shape in detail) * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2003-05-09 by Microsoft: https://www.google.com/patents/US8493326 "Controller with removably attachable text input device" (an early keypad, later revered to by the 360 keypad patent) * Filed 2003-05-09 by Micorsoft: https://www.google.com/patents/US7116311 "Embedded text input " (reffered to by the 360 chatpad) * Filed 2006-07-03 by Micorsoft: https://www.google.com/patents/US7804484 "Embedded text input " (probably a corrected version of US7116311, reffered to by the 360 chatpad, a picture of the "Baretta" chatpad, https://assemblergames.com/threads/xbox-chatpad-unreleased.54523/ * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2003-08-21 by Friendtech: https://www.google.com/patents/US20050282621 "CPU upgrading adapter for a Microsoft XboxTM game machine" * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") * Filed 2001-04-30 by Microsoft: https://www.google.com/patents/US20020160654 "Breakaway cable connector" (filed by Microsofts attorneys) Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.com/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.com/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.com/patents/US8602897 "Extended and editable gamer profile" * Filed 2007-12-07 by Microsoft: https://www.google.com/patents/US8487876 "Ergonomic hand-held text input device " (The xbox 360 chatpad, wich mentions the OG textpad US8493326 and US7116311 ;) ) bea5c2fd5f5f4189f046095e6701c1de32ba4bb2 2 3825 5916 2017-07-16T21:23:17Z PatrickvL 2473 Created page with "Scan of Microsoft's Original Xbox (PAL) manual : http://www.videogameconsolelibrary.com/images/Manuals/01_Microsoft_Xbox_(PAL)-Manual.pdf" wikitext text/x-wiki Scan of Microsoft's Original Xbox (PAL) manual : http://www.videogameconsolelibrary.com/images/Manuals/01_Microsoft_Xbox_(PAL)-Manual.pdf 49bc3b1a9f4cf382ef220371ba353b3fd9985896 5917 5916 2017-07-16T21:36:09Z PatrickvL 2473 wikitext text/x-wiki Scan of the instruction manual for Microsoft's Original Xbox (PAL) : http://www.videogameconsolelibrary.com/images/Manuals/01_Microsoft_Xbox_(PAL)-Manual.pdf Scan of the user manual for the Mad Catz MC2 Racing Wheel : http://downloads.madcatzhosting.com/support/mcz/manuals/6320UG.pdf 1dd391fcb3c96d73cd8f17bfe3cd834ca8a60481 0 3692 5919 5544 2017-07-16T21:41:09Z PatrickvL 2473 .com, not .de wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] f5419d44867b06ca038aec1b1eb7632e28332018 0 3681 5921 5567 2017-07-17T02:47:32Z Haxar 2485 wikitext text/x-wiki The CPU in the Xbox was a custom Pentium 3 running at 733MHz. The 'custom' part of this was that that the Pentium 3 in the Xbox was that it had only 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] (This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. * [https://www.google.com/patents/US20050282621 CPU upgrading adapter for a Microsoft XboxTM game machine] US Patent Application 20050282621 by Friendtech, filed 2003-08-21. d2f1631d5309b5ae066b01d50810f6651d1bc7d9 0 3678 5922 5726 2017-07-17T04:08:11Z Haxar 2485 Calling conventions are x86 specific. wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described [[Boot_Process#Initialization|here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !x86 Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 | |Variable: OBJECT_TYPE |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 | |Variable: OBJECT_TYPE |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 | |Variable: OBJECT_TYPE |- |[[Kernel/ExTimerObjectType]] |31 | |Variable: OBJECT_TYPE |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 | |Variable: ULONG |- |[[Kernel/HalDiskModelNumber]] |41 | |Variable: STRING |- |[[Kernel/HalDiskSerialNumber]] |42 | |Variable: STRING |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 | |Variable: OBJECT_TYPE |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFileObjectType]] |71 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 | |Variable: BOOLEAN |- |[[Kernel/KdDebuggerNotPresent]] |89 | |Variable: BOOLEAN |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 | |Variable: MMGLOBALDATA |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 | |Variable: ULONG |- |[[Kernel/KeTimeIncrement]] |157 | |Variable: ULONG |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 | |Variable: ULONG_PTR[5] |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 | |Variable: PLAUNCH_DATA_PAGE |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 | |Variable: OBJECT_TYPE |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 | |Variable: OBJECT_HANDLE_TABLE |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 | |Variable: OBJECT_TYPE |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 | |Variable: OBJECT_TYPE |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxHardwareInfo]] |322 | |Variable: XBOX_HARDWARE_INFO |- |[[Kernel/XboxHDKey]] |323 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxKrnlVersion]] |324 | |Variable: XBOX_KRNL_VERSION |- |[[Kernel/XboxSignatureKey]] |325 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XeImageFileName]] |326 | |Variable: OBJECT_STRING |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxAlternateSignatureKeys]] |354 | |Variable: XBOX_KEY_DATA[XBEIMAGE_ALTERNATE_TITLE_ID_COUNT] |- |[[Kernel/XePublicKeyData]] |355 | |Variable: UCHAR[XC_PUBLIC_KEYDATA_SIZE] |- |[[Kernel/HalBootSMCVideoMode]] |356 | |Variable: ULONG |- |[[Kernel/IdexChannelObject]] |357 | |Variable: IDE_CHANNEL_OBJECT |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- | |370 | |Unused? |- | |371 | |Unused? |- | |372 | |Unused? |- | |373 | |Unused? |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 2ac8f0c5e0853b1f7d5487f4e5be3a6e308c35b2 1 3684 5931 5043 2017-07-18T23:33:50Z JayFoxRox 2 /* CPU upgrade patent */ new section wikitext text/x-wiki We should get output from cpuid here --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 06:19, 29 March 2017 (PDT) == CPU upgrade patent == I think it should be made more clear that this is a patent for an unoffical / unlicensed third party mod. I'm not sure how to do this best though. The wiki should be focused on official content and information. The emulation section is the only exception currently and it's cleanly seperated from the rest. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 16:33, 18 July 2017 (PDT) 014de8019ed1e628962e6594c6294251fca7fc28 0 3751 5932 5893 2017-07-19T14:16:23Z JayFoxRox 2 Measured my AC97 attack with poor line-in = not promising wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is likely to be lost. However, this was not tested in praxis. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be risky as harddisk contents have to be modified for the temporary softmod. | Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 5d8aca8ab56df6859dee1b11b831b2d400343c3b 0 3706 5933 5842 2017-07-19T17:06:04Z Codeasm 2480 XE format for Alpha executables wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Xbox Alpha executable format== Currently no emulator tries to read Alpha executables and no public known tools can read them. Commonly they warn you that the Xbe magic isnt correct. This is due to the first few bytes in the retail executables read 'XBEH" while the Alpha executables only read 'XE'. The format is rumoured to look more like the windows PE structure. {citation needed} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] e1615322868fdad517c43894d164242f0749185f 5935 5933 2017-07-20T12:53:27Z JayFoxRox 2 Removed non-interesting information and made clear what 'alpha' even is wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Xbox Alpha executable format== Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] 87b8f3d992c4564093892c7161c1a459c77f6e79 0 3826 5934 2017-07-20T11:31:35Z JayFoxRox 2 Created page with "{{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" ! Ports || Purpose |- | 0000-001f || dma1 |- | 0020-003f || pic1 |- | 0040-0043 || ti..." wikitext text/x-wiki {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" ! Ports || Purpose |- | 0000-001f || dma1 |- | 0020-003f || pic1 |- | 0040-0043 || timer0 |- | 0050-0053 || timer1 |- | 0060-006f || keyboard |- | 0070-007f || rtc |- | 0080-008f || dma page reg |- | 00a0-00bf || pic2 |- | 00c0-00df || dma2 |- | 00f0-00ff || fpu |- | 01f0-01f7 || ide0 |- | 03c0-03df || vesafb |- | 03f6-03f6 || ide0 |- | 0cf8-0cff || PCI conf1 |- | 1000-100f || nVidia Corporation nForce PCI System Management |- | 1080-10ff || nVidia Corporation Intel 537 [nForce MC97 Modem] |- | 1400-14ff || nVidia Corporation Intel 537 [nForce MC97 Modem] |- | c000-c00f || nVidia Corporation nForce PCI System Management (amd756-smbus) |- | c200-c21f || nVidia Corporation nForce PCI System Management |- | d000-d0ff || nVidia Corporation nForce Audio |- | d200-d27f || nVidia Corporation nForce Audio |- | e000-e007 || nVidia Corporation nForce Ethernet Controller |- | ff60-ff6f || nVidia Corporation nForce IDE |- | ff60-ff67 || ide0 |} 2372c1d7018af9f92c9319e440d3b63a0d2c8ec1 0 3804 5936 5799 2017-07-26T21:08:02Z JayFoxRox 2 The original compression ratio did not respect the sample width: 65 samples (16 bit PCM) = 130 bytes, will be compressed in 36 bytes (ADPCM). 1-(36/130) = 72.3% wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (130:36 compression ratio = 72.3% compressed). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" width="20%" | W0 | colspan="8" width="20%" | W1 | colspan="8" width="20%" | W2 | rowspan="3" width="5%" | ... | colspan="8" width="20%" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 |- ! {{no-select}} | 0 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8{{hc}} |- ! {{no-select}} | 8 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 ! {{no-select}} | +8 ! {{no-select}} | +9 |- ! {{no-select}} | 0 | 7{{hc}} || 8{{hc}} || 9{{hc}} || 10{{hc}} || 11{{hc}} || 12{{hc}} || 13{{hc}} || 14{{hc}} || 16{{hc}} || 17{{hc}} |- ! {{no-select}} | 10 | 19{{hc}} || 21{{hc}} || 23{{hc}} || 25{{hc}} || 28{{hc}} || 31{{hc}} || 34{{hc}} || 37{{hc}} || 41{{hc}} || 45{{hc}} |- ! {{no-select}} | 20 | 50{{hc}} || 55{{hc}} || 60{{hc}} || 66{{hc}} || 73{{hc}} || 80{{hc}} || 88{{hc}} || 97{{hc}} || 107{{hc}} || 118{{hc}} |- ! {{no-select}} | 30 | 130{{hc}} || 143{{hc}} || 157{{hc}} || 173{{hc}} || 190{{hc}} || 209{{hc}} || 230{{hc}} || 253{{hc}} || 279{{hc}} || 307{{hc}} |- ! {{no-select}} | 40 | 337{{hc}} || 371{{hc}} || 408{{hc}} || 449{{hc}} || 494{{hc}} || 544{{hc}} || 598{{hc}} || 658{{hc}} || 724{{hc}} || 796{{hc}} |- ! {{no-select}} | 50 | 876{{hc}} || 963{{hc}} || 1060{{hc}} || 1166{{hc}} || 1282{{hc}} || 1411{{hc}} || 1552{{hc}} || 1707{{hc}} || 1878{{hc}} || 2066{{hc}} |- ! {{no-select}} | 60 | 2272{{hc}} || 2499{{hc}} || 2749{{hc}} || 3024{{hc}} || 3327{{hc}} || 3660{{hc}} || 4026{{hc}} || 4428{{hc}} || 4871{{hc}} || 5358{{hc}} |- ! {{no-select}} | 70 | 5894{{hc}} || 6484{{hc}} || 7132{{hc}} || 7845{{hc}} || 8630{{hc}} || 9493{{hc}} || 10442{{hc}} || 11487{{hc}} || 12635{{hc}} || 13899{{hc}} |- ! {{no-select}} | 80 | 15289{{hc}} || 16818{{hc}} || 18500{{hc}} || 20350{{hc}} || 22385{{hc}} || 24623{{hc}} || 27086{{hc}} || 29794{{hc}} || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] b4d6ddeb7ad69cb7f1391ccfdd3b60b9e0579c3a 0 3675 5937 5421 2017-07-29T21:24:58Z JayFoxRox 2 Using archived doc now wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [https://web.archive.org/web/20070105072020/http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] b6dc5275584d1b8669eaaf01fc7ecccfe83b42c6 0 11 5943 5712 2017-08-09T06:30:35Z Haxar 2485 /* USB Adapters */ Replaced Amazon link to the right Xbox to USB-A cable. These are the right ones, while the old link gave me USB-A to Xbox cables. wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || A || rowspan="4" | Digital only, either 0 or 255 |- | Grip || B |- | A || X |- | B || Y |- | START || Start || |- | SE/BA || Back || |- | Aim Left / Right || Negative / Positive on left thumbstick X axis || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || Positive / Negative on left thumbstick Y axis |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps A pressed while trigger is held * Turbo mode 1 toggles A rapidly while trigger is held * Turbo mode 2 toggles A rapidly and once in a while B while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} 361c548b4222923901ef636adf2a79f91e586790 0 3822 5944 5942 2017-08-11T20:55:39Z Codeasm 2480 /* Alpha */ more info wikitext text/x-wiki There are a few hardware diferences and software diferences between development kits, but generaly the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are diferences internaly from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the developement kits and debugkits. Some rare boards are found with diferent MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unkown port) its been rumoured that the blocked USB port (unblocked on DVT3) on the back of Developement kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. The alpha hardware allowed kernel debuging to be done over one of the rs232 ports and standard WinDBG software can make these messages and control work. This allows of carefull debugging of the running kernel and diagnose occuring faults or errors. At early boot of the recovery software an network ip adress is attempted to setup probbaly for another way of diagnosing and remote control using the availeble software like later xdk software. The Alpha is build with the following parts or software: === Alpha I === * Intel VC820, running a prerelease Bios * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforece3 NV20 prerelease hardware? {{FIXME| What hardware was this one? or was it just the firmware that got upgraded?}} * An OPTI 82C861 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} These where then programmed by use of a recovery disk that "recovered" === Apha II === The Alpha II was a upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN{{FIXME|SL3XN for sure in true alpha?}} * Nvidia Geforce3 NV20 (64MB ram) with a Preretail firmware An supplied Recovery made the nececairy firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha/ Same hardware as a Alpha I/II, but you dont seem to need the preretail firmwares or bioses. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out suboard isnt nececairy, as VGA seems to work fine. color or diferent kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while on purpose incorrectly installed or configured the computer. These results may vary with official parts, configs, bios or firmware. Or due to diferences in hardware. these are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primairy channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for the particular motherboard that was under test. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS). All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] cf82d83bc071c704778bab386982e58bb6b4d623 5945 5944 2017-08-11T21:03:03Z Codeasm 2480 /* DVT3/DVT4 */ more details I found in notes. wikitext text/x-wiki There are a few hardware diferences and software diferences between development kits, but generaly the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are diferences internaly from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the developement kits and debugkits. Some rare boards are found with diferent MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unkown port) its been rumoured that the blocked USB port (unblocked on DVT3) on the back of Developement kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. The alpha hardware allowed kernel debuging to be done over one of the rs232 ports and standard WinDBG software can make these messages and control work. This allows of carefull debugging of the running kernel and diagnose occuring faults or errors. At early boot of the recovery software an network ip adress is attempted to setup probbaly for another way of diagnosing and remote control using the availeble software like later xdk software. The Alpha is build with the following parts or software: === Alpha I === * Intel VC820, running a prerelease Bios * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforece3 NV20 prerelease hardware? {{FIXME| What hardware was this one? or was it just the firmware that got upgraded?}} * An OPTI 82C861 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} These where then programmed by use of a recovery disk that "recovered" === Apha II === The Alpha II was a upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN{{FIXME|SL3XN for sure in true alpha?}} * Nvidia Geforce3 NV20 (64MB ram) with a Preretail firmware An supplied Recovery made the nececairy firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha/ Same hardware as a Alpha I/II, but you dont seem to need the preretail firmwares or bioses. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out suboard isnt nececairy, as VGA seems to work fine. color or diferent kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while on purpose incorrectly installed or configured the computer. These results may vary with official parts, configs, bios or firmware. Or due to diferences in hardware. these are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primairy channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for the particular motherboard that was under test. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS).DVT3 seems to have the back USB port to be uncovered and a slightly more glossy or shinier jewel on the top of the case. According to some sources, the DVT3 cannot be updated to further kernels/dashboards than 3911, the lowest/oldest being 3823.1(Borman said this?){{citation needed}} All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] 1ec140e011af8708a93a6b79ad35dbc7055be7b6 0 3820 5946 5905 2017-08-16T17:34:56Z JayFoxRox 2 wikitext text/x-wiki The Super I/O board is a feature of [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) 702216ac2e65de171c61007170552529396cf9b0 5948 5946 2017-08-17T20:02:10Z Codeasm 2480 Primairely work on schematics and pinlistings wikitext text/x-wiki The Super I/O board is a feature of [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probablu ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} Maybe someday it will look better, but for now here are the listings of wich pin goes where: {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and GND | |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 44202b5fbdc640776b80aebad92921d6393f6b0d 5949 5948 2017-08-17T20:23:25Z Codeasm 2480 /* Schematic */ some updates wikitext text/x-wiki The Super I/O board is a feature of [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probablu ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} Maybe someday it will look better, but for now here are the listings of wich pin goes where: {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |} {| class="wikitable" !| Pin ! to pin ! Note |- |J9 pin 1 | |(not finished) |- |J9 pin 2 |GND | |- |J9 pin 3 | |(not finished) |- |J9 pin 4 |NC |no pin |- |J9 pin 5 | |RST(not finished) |- |J9 pin 6 |C12(e),C13(S),C15(S),U3 p11. |5V(not finished) |- |J9 pin 7 | |LAD3(not finished) |- |J9 pin 8 | |LAD2(not finished) |- |J9 pin 9 |3.3V |(not finished) |- |J9 pin 10 | |LAD1(not finished) |- |J9 pin 11 | |LAD0(not finished) |- |J9 pin 12 |GND | |- |J9 pin 13 | |SCL(not finished) |- |J9 pin 14 | |SDA(not finished) |- |J9 pin 15 |3.3V |(not finished) |- |J9 pin 16 | |(not finished) |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 0ef5e38dd48dfad056f91a0a80b3dbfaea8f00e4 5950 5949 2017-08-17T21:13:40Z Codeasm 2480 /* Schematic */ done for today. will continue soon wikitext text/x-wiki The Super I/O board is a feature of [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |U1 p24 |J9 pin 3 |LFrame |- |U1 p29 |J9 pin 1 |LClk |- |U1 p30 |J9 pin 16 |(unkown function) |- |U1 P84 |U3 ??? |RX |- |U1 P85 |U3 ??? |TX |} === J9 LPC header=== Not finished {| class="wikitable" !| Pin ! to pin ! Note |- |J9 pin 1 |U1 p29 | |- |J9 pin 2 |GND | |- |J9 pin 3 |U1 p24 |LFrame |- |J9 pin 4 |NC |no pin |- |J9 pin 5 | |RST |- |J9 pin 6 |C12(e),C13(S),C15(S),U3 p11. |5V |- |J9 pin 7 | |LAD3 |- |J9 pin 8 | |LAD2 |- |J9 pin 9 |3.3V | |- |J9 pin 10 | |LAD1 |- |J9 pin 11 | |LAD0 |- |J9 pin 12 |GND | |- |J9 pin 13 |U1 p104 |SCL |- |J9 pin 14 |U1 p103 |SDA |- |J9 pin 15 |3.3V | |- |J9 pin 16 |U1 p30 |(unkown function) |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] c36c830fb3dc318e1c1b9f22bc9cbf5e0a01f518 0 3821 5947 5907 2017-08-17T19:15:28Z Codeasm 2480 added images link, if I can upload I want and will. images are CC0 wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding witch files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and posibly potencial faults that could occur. The Hardware required for this where a Developement kit (with the DVD emulation board) a sort of scsi cable and a XDK-Raptor card.{{citation needed}} The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. For development it wasnt the fastest way to get an executable to the xbox, and for homebrew its pretty useless.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} == Resources == * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the DVD emulation board] 03ff8ea27da0fc4ceb58f285baff0a266456ca24 0 3768 5951 5589 2017-08-20T20:16:18Z JayFoxRox 2 wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 5547e9469381f31b1ad64d0134c2b0aed8269903 5952 5951 2017-08-20T20:17:36Z JayFoxRox 2 JayFoxRox moved page [[DVD-IR Internals]] to [[DVD Movie Playback Kit]] without leaving a redirect wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 5547e9469381f31b1ad64d0134c2b0aed8269903 5953 5952 2017-08-20T20:22:17Z JayFoxRox 2 /* Dongle */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 70d4b5f8e073b05610fba9e9617d7356196b61ff |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 76f21be51c3c2d49d8e64cb43c47ec89e308d5ec 5954 5953 2017-08-20T20:24:30Z JayFoxRox 2 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || 70d4b5f8e073b05610fba9e9617d7356196b61ff |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 4835be1f6ec2ae1fc74984ae03167eb80b8324b9 5955 5954 2017-08-20T20:34:33Z JayFoxRox 2 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || 70d4b5f8e073b05610fba9e9617d7356196b61ff |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 88b4284493f4fd59e8648f33bedc091df27403fa 5957 5955 2017-08-20T20:36:30Z JayFoxRox 2 JayFoxRox moved page [[DVD Movie Playback Kit]] to [[Xbox DVD Movie Playback Kit]] without leaving a redirect wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || 70d4b5f8e073b05610fba9e9617d7356196b61ff |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 88b4284493f4fd59e8648f33bedc091df27403fa 5958 5957 2017-08-21T05:54:12Z Ernegien 2491 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || 70d4b5f8e073b05610fba9e9617d7356196b61ff | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || 73814aa736d83d636380f5c6b1c291441b35354d |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 85ca2036ea5f9aed1fa18623d092814611ab1f90 5959 5958 2017-08-21T05:55:30Z Ernegien 2491 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || 70d4b5f8e073b05610fba9e9617d7356196b61ff |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 88b4284493f4fd59e8648f33bedc091df27403fa 5960 5959 2017-08-21T05:56:07Z Ernegien 2491 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || 70d4b5f8e073b05610fba9e9617d7356196b61ff |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || 73814aa736d83d636380f5c6b1c291441b35354d |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 043657743cd6678e88c161ed74b68afb95164ba1 5961 5960 2017-08-21T14:53:43Z JayFoxRox 2 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 53a40b1a243d95d43d252014a0eddc39ea71f2c6 5962 5961 2017-08-21T14:56:45Z JayFoxRox 2 /* References */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 56c34335a9bbab85bb5724744263b8ca6a0a014e 5963 5962 2017-08-21T15:12:02Z JayFoxRox 2 /* Components */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === ==== X08-25387-002 (PCB: X01469-100) ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (from Xbox Linux) ==== * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] db403dc22470c4da3078178bfd96dac4a5594809 5964 5963 2017-08-21T15:12:39Z JayFoxRox 2 /* Components */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: X01469-100) ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (from Xbox Linux) ==== * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] fdc84958bf0f200b36fb15f28da590f5f94a87fb 5968 5964 2017-08-21T15:49:35Z JayFoxRox 2 /* Unknown version (from Xbox Linux) */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: X01469-100) ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (from Xbox Linux) ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 710d8e1979b0cb76da7dd26c9a277415815d259c 5969 5968 2017-08-21T16:31:01Z JayFoxRox 2 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: X01469-100) ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (from Xbox Linux) ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 13033c8b2fc3a1cae244fc378f665c1ed95e03c4 5970 5969 2017-08-21T16:34:25Z JayFoxRox 2 /* Unknown version (from Xbox Linux) */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: X01469-100) ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 6b5effd25d5456f7b666dc2b9ba3b81f5bd4e1d1 5971 5970 2017-08-21T16:35:49Z JayFoxRox 2 /* X08-25387-002 (PCB: X01469-100) */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Additionally the Dongle contains an IR receiver to receive commands from the Remote control === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (PCB: "IR DONGLE REV B") ==== {{FIXME|reason=See http://wiki.tolabaki.gr/mediawiki/images/d/db/Xbox_rc_vanilla.jpg . Needs more pics}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program? : One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 047e8a80530a614acbda6dedb636039639b599f4 5972 5971 2017-08-21T17:26:15Z JayFoxRox 2 wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (PCB: "IR DONGLE REV B") ==== {{FIXME|reason=See http://wiki.tolabaki.gr/mediawiki/images/d/db/Xbox_rc_vanilla.jpg . Needs more pics}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 99774dd21a5bcb4602b335eb2f8fa9e3772f9278 5979 5972 2017-08-22T06:00:52Z Ernegien 2491 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (PCB: "IR DONGLE REV B") ==== {{FIXME|reason=See http://wiki.tolabaki.gr/mediawiki/images/d/db/Xbox_rc_vanilla.jpg . Needs more pics}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] ba73e0fafb4aee6169b767aef20e3c9fa750860a 5980 5979 2017-08-22T06:07:26Z Ernegien 2491 /* Known versions */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (PCB: "IR DONGLE REV B") ==== {{FIXME|reason=See http://wiki.tolabaki.gr/mediawiki/images/d/db/Xbox_rc_vanilla.jpg . Needs more pics}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] 8ca22f1586220e6b52021c60ced87bdd212b2b76 5986 5980 2017-08-22T22:06:42Z Espes 2484 wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== Unknown version (PCB: "IR DONGLE REV B") ==== {{FIXME|reason=See http://wiki.tolabaki.gr/mediawiki/images/d/db/Xbox_rc_vanilla.jpg . Needs more pics}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 638e2d3fc7e3b95977f9735e7360b450f99cdd8d 0 1 5956 5938 2017-08-20T20:36:09Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] d08b9a7798a6295a265f30093963fb567c6f0226 6 3827 5965 2017-08-21T15:42:43Z JayFoxRox 2 Backside of DVD Dongle. Originally by Xbox-Linux wikitext text/x-wiki Backside of DVD Dongle. Originally by Xbox-Linux ba20bdc235344f24086db7fdcffb59a5b21cffde 5966 5965 2017-08-21T15:42:59Z JayFoxRox 2 JayFoxRox moved page [[File:Xbox-linux-dvd-donge-back.jpg]] to [[File:Xbox-linux-dvd-dongle-back.jpg]] without leaving a redirect: Typo wikitext text/x-wiki Backside of DVD Dongle. Originally by Xbox-Linux ba20bdc235344f24086db7fdcffb59a5b21cffde 6 3828 5967 2017-08-21T15:43:28Z JayFoxRox 2 Frontside of DVD Dongle. Originally by Xbox-Linux wikitext text/x-wiki Frontside of DVD Dongle. Originally by Xbox-Linux 603a3832771393aebd21bc2b9e00039da7a0e0c7 0 3829 5973 2017-08-21T18:46:27Z JayFoxRox 2 Created page with "The Xbox Live Communicator is the headset which is used for Xbox Live. == Protocol == === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Com..." wikitext text/x-wiki The Xbox Live Communicator is the headset which is used for Xbox Live. == Protocol == === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 45 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Microphone === {{FIXME}} === Speaker === {{FIXME}} f540b5989bdce3211cc512bb6b05c602a4faee73 5975 5973 2017-08-22T01:21:59Z DaveX 2487 added pic wikitext text/x-wiki The Xbox Live Communicator is the headset which is used for Xbox Live. [[File:Xbox_Live_Communicator.png|thumb|200px|Headset / Xbox Live Communicator]] == Protocol == === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 45 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Microphone === {{FIXME}} === Speaker === {{FIXME}} 135d3375e53f6fbfa296ad69933b8aa098d4de0e 6 3830 5974 2017-08-22T01:18:34Z DaveX 2487 The Xbox Live Communicator looks roughly like this. wikitext text/x-wiki The Xbox Live Communicator looks roughly like this. 4b38e0d2b0dc4b54a6cd8087957ef387bc2644a4 5976 5974 2017-08-22T01:26:37Z DaveX 2487 DaveX uploaded a new version of [[File:Xbox Live Communicator.png]] wikitext text/x-wiki The Xbox Live Communicator looks roughly like this. 4b38e0d2b0dc4b54a6cd8087957ef387bc2644a4 5977 5976 2017-08-22T01:28:13Z DaveX 2487 DaveX uploaded a new version of [[File:Xbox Live Communicator.png]] wikitext text/x-wiki The Xbox Live Communicator looks roughly like this. 4b38e0d2b0dc4b54a6cd8087957ef387bc2644a4 5978 5977 2017-08-22T01:28:53Z DaveX 2487 DaveX uploaded a new version of [[File:Xbox Live Communicator.png]] wikitext text/x-wiki The Xbox Live Communicator looks roughly like this. 4b38e0d2b0dc4b54a6cd8087957ef387bc2644a4 0 3831 5981 2017-08-22T18:43:16Z JayFoxRox 2 Created page with "xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. === File format === {{FIXME}}" wikitext text/x-wiki xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. === File format === {{FIXME}} d5326be6dadc016befa2ead8ab4bcfc22ff11562 0 3751 5982 5932 2017-08-22T18:44:03Z JayFoxRox 2 /* Font hacks */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is likely to be lost. However, this was not tested in praxis. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be risky as harddisk contents have to be modified for the temporary softmod. | Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 7733978aeaaa0905e6a9b26597b523a82848df09 1 3832 5983 2017-08-22T18:45:23Z JayFoxRox 2 /* Merge with dashboard article */ new section wikitext text/x-wiki == Merge with dashboard article == I think it makes sense to merge this with the dashboard article or even move such file format stuff to other wikis. However, I'm not sure how to integrate it best with the dashboard article, and I'm not aware of any wikis where this would fit. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:45, 22 August 2017 (PDT) cf8fe229b5485372c576a21a038819b2465f59d9 5984 5983 2017-08-22T18:49:11Z JayFoxRox 2 /* Add file format info */ new section wikitext text/x-wiki == Merge with dashboard article == I think it makes sense to merge this with the dashboard article or even move such file format stuff to other wikis. However, I'm not sure how to integrate it best with the dashboard article, and I'm not aware of any wikis where this would fit. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:45, 22 August 2017 (PDT) == Add file format info == from #xqemu irc channel JayFoxRox: I looked at the file, it seems to be a 2D mesh format, indices, followed by vertices JayFoxRox: header is XTF0, then, then 4 bytes length for the following name of font [should be 32 bytes] JayFoxRox: seemingly this is used too: https://msdn.microsoft.com/en-us/library/dd144956(v=vs.85).aspx JayFoxRox: or at least there is a 4 byte length prefix again JayFoxRox: near end of file it's very surely <code>u16 icount, u16 vcount, u16 indices[icount] { float x,y; }[vcount]</code> JayFoxRox: if there are any structures between those 2? no idea. JayFoxRox: apparently the last structure [with mesh data] keeps repeating towards the end, so it's probably each glyph seperately JayFoxRox: I don't have more time for doing this now - I already did more than I wanted by sourcing the Xbox.xtf and Xbox Book.xtf and looking at it with hexedit and googling for MS structures :P JayFoxRox: I think there are degenerates, so looks like tri-strip --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:49, 22 August 2017 (PDT) aa3ca7c50dbf6c066a6e8dcbf799457e6aca1392 5985 5984 2017-08-22T18:49:35Z JayFoxRox 2 /* Add file format info */ wikitext text/x-wiki == Merge with dashboard article == I think it makes sense to merge this with the dashboard article or even move such file format stuff to other wikis. However, I'm not sure how to integrate it best with the dashboard article, and I'm not aware of any wikis where this would fit. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:45, 22 August 2017 (PDT) == Add file format info == from #xqemu irc channel * JayFoxRox: I looked at the file, it seems to be a 2D mesh format, indices, followed by vertices * JayFoxRox: header is XTF0, then, then 4 bytes length for the following name of font [should be 32 bytes] * JayFoxRox: seemingly this is used too: https://msdn.microsoft.com/en-us/library/dd144956(v=vs.85).aspx * JayFoxRox: or at least there is a 4 byte length prefix again * JayFoxRox: near end of file it's very surely <code>u16 icount, u16 vcount, u16 indices[icount] { float x,y; }[vcount]</code> * JayFoxRox: if there are any structures between those 2? no idea. * JayFoxRox: apparently the last structure [with mesh data] keeps repeating towards the end, so it's probably each glyph seperately * JayFoxRox: I don't have more time for doing this now - I already did more than I wanted by sourcing the Xbox.xtf and Xbox Book.xtf and looking at it with hexedit and googling for MS structures :P * JayFoxRox: I think there are degenerates, so looks like tri-strip --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:49, 22 August 2017 (PDT) 7b231ae4af073f317d5c3d3cded56fde1fa5b556 5992 5985 2017-08-23T19:57:46Z JayFoxRox 2 /* Add file format info */ wikitext text/x-wiki == Merge with dashboard article == I think it makes sense to merge this with the dashboard article or even move such file format stuff to other wikis. However, I'm not sure how to integrate it best with the dashboard article, and I'm not aware of any wikis where this would fit. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:45, 22 August 2017 (PDT) == Add file format info == from #xqemu irc channel * JayFoxRox: I looked at the file, it seems to be a 2D mesh format, indices, followed by vertices * JayFoxRox: header is XTF0, then, then 4 bytes length for the following name of font [should be 32 bytes] * JayFoxRox: seemingly this is used too: https://msdn.microsoft.com/en-us/library/dd144956(v=vs.85).aspx * JayFoxRox: or at least there is a 4 byte length prefix again * JayFoxRox: near end of file it's very surely <code>u16 icount, u16 vcount, u16 indices[icount] { float x,y; }[vcount]</code> * JayFoxRox: if there are any structures between those 2? no idea. * JayFoxRox: apparently the last structure [with mesh data] keeps repeating towards the end, so it's probably each glyph seperately * JayFoxRox: I don't have more time for doing this now - I already did more than I wanted by sourcing the Xbox.xtf and Xbox Book.xtf and looking at it with hexedit and googling for MS structures :P * JayFoxRox: I think there are degenerates, so looks like tri-strip << edit: actually those are just tris! Update: source code for partially converting to svg font: https://gist.github.com/JayFoxRox/3749698d1ae590608433672bffecba5a --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:49, 22 August 2017 (PDT) 6fb1c7b7d8081fc46db93505cd752e51bf8fcc86 0 11 5987 5943 2017-08-22T22:10:15Z Espes 2484 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || A || rowspan="4" | Digital only, either 0 or 255 |- | Grip || B |- | A || X |- | B || Y |- | START || Start || |- | SE/BA || Back || |- | Aim Left / Right || Negative / Positive on left thumbstick X axis || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || Positive / Negative on left thumbstick Y axis |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps A pressed while trigger is held * Turbo mode 1 toggles A rapidly while trigger is held * Turbo mode 2 toggles A rapidly and once in a while B while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} === Related links === [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] a5548a610b5d03df981e3c152bc07f2ce44d47de 5988 5987 2017-08-22T22:10:55Z Espes 2484 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |DPAD_UP |2 |0x01 | |- |DPAD_DOWN |2 |0x02 | |- |DPAD_LEFT |2 |0x04 | |- |DPAD_RIGHT |2 |0x08 | |- |START |2 |0x10 | |- |BACK |2 |0x20 | |- |LEFT_THUMB |2 |0x40 | |- |RIGHT_THUMB |2 |0x80 | |- |A |4 |0xFF |Button is analog |- |B |5 |0xFF |Button is analog |- |X |6 |0xFF |Button is analog |- |Y |7 |0xFF |Button is analog |- |BLACK |8 |0xFF |Button is analog |- |WHITE |9 |0xFF |Button is analog |- |LEFT_TRIGGER |10 |0xFF |Trigger is analog |- |RIGHT_TRIGGER |11 |0xFF |Trigger is analog |- |sThumbLX |12 |0xFFFF | |- |sThumbLY |14 |0xFFFF | |- |sThumbRX |16 |0xFFFF | |- |sThumbRY |18 |0xFFFF | |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || A || rowspan="4" | Digital only, either 0 or 255 |- | Grip || B |- | A || X |- | B || Y |- | START || Start || |- | SE/BA || Back || |- | Aim Left / Right || Negative / Positive on left thumbstick X axis || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || Positive / Negative on left thumbstick Y axis |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps A pressed while trigger is held * Turbo mode 1 toggles A rapidly while trigger is held * Turbo mode 2 toggles A rapidly and once in a while B while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] f7cf9811a69e0cb388f77d4fff0985b7ca978336 0 3833 5989 2017-08-23T04:50:49Z JayFoxRox 2 Created page with "The 16 byte RC4 key used to decrypt parts of the [[EEPROM]]. The key is passed to kernel from from 2BL. It is only initialized on cold-boot. If an XBE is loaded which is not..." wikitext text/x-wiki The 16 byte RC4 key used to decrypt parts of the [[EEPROM]]. The key is passed to kernel from from 2BL. It is only initialized on cold-boot. If an XBE is loaded which is not allowed to run in the manufacturing region, the Microsoft Kernels will set the EEPROM key to all zeros. As the key is not re-initialized, this means running the first non-manufacturing XBE (such as a game or [[Dashboard]]{{FIXME|reason=confirm the dash is not running in manufacturing}}), will make the key unretrievable until a reboot. 6271ebf6326f9f7eefd7b6f3bdd411bec4817a56 5991 5989 2017-08-23T05:06:23Z JayFoxRox 2 Reluctantly moved the chihiro key here. wikitext text/x-wiki The 16 byte RC4 key used to decrypt parts of the [[EEPROM]]. The key is passed to kernel from from 2BL. It is only initialized on cold-boot. If an XBE is loaded which is not allowed to run in the manufacturing region, the Microsoft Kernels will set the EEPROM key to all zeros. As the key is not re-initialized, this means running the first non-manufacturing XBE (such as a game or [[Dashboard]]{{FIXME|reason=confirm the dash is not running in manufacturing}}), will make the key unretrievable until a reboot. The Chihiro EEPROM key is <code>7B 35 A8 B7 27 ED 43 7A A0 BA FB 8F A4 38 61 80</code> 9125826930a83fa14670ff56618ebfaf1ac2650e 0 3742 5990 5538 2017-08-23T05:05:51Z JayFoxRox 2 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x5C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] d6c8ffe19263449294cbeeec09e60f55b2730e08 0 3750 5993 5474 2017-08-24T18:39:42Z JayFoxRox 2 wikitext text/x-wiki The Xbox does not use an ordinary [https://web.archive.org/web/20100617022211/http://en.wikipedia.org/wiki/RAMDAC RAMDAC] for video output. Instead, it employs a <em>video encoder</em>. Video encoder is a chip that converts a digital pixel data stream (coming from the nVidia NV2A graphics processor) into analog video signal, just like a RAMDAC would. An ordinary RAMDAC, however, can only output VGA-style RGB signal. The video encoder used in the Xbox is more flexible, and can generate several different types of signals that adhere to various video standards and color formats. These include, but are not necessarily limited to: * VGA-style &gt;31 kHz RGB, though only with Sync-on-Green sync signals. (If needed, separate HSYNC and VSYNC signals can be obtained from the motherboard, or by building a special video cable with active electronics for stripping and separating the Sync-on-Green sync signal. In any case, separate HSYNC and VSYNC are not available directly through the AV connector.) * TV-compatible 15 kHz RGB (with composite sync) &ndash; suitable for European-style SCART RGB output (are progressive 625/50 signals supported?) * Component (Y'PbPr) signal, both in SDTV and HDTV resolutions; suitable for American-style "component" output * PAL color signal with typical PAL timings (including PAL60), in both composite (CVBS) and s-video (Y/C) formats * SECAM color signal with typical SECAM timings, in both composite (CVBS) and s-video (Y/C) formats * NTSC color signal with typical NTSC timings, in both composite (CVBS) and s-video (Y/C) formats * Black and white composite video signal without a color carrier The video encoder is also capable of PALplus style Line 23 Wide Screen Signalling (WSS), and the Xbox PIC is rigged with the capability of controlling Scart pin 8 (the ''function switching pin'', which is used as an alternative method of Wide Screen Signalling) and pin 16 (the ''fast switching pin''.) The make and model of the video encoder has varied through the times &ndash; three different video encoders have been used this far. All three are very similar in their features; they support various modes and are flexible enough to be able to output a VGA compatible signal (which is not supported by the Xbox kernel.) They are, however, not register-compatible. Two of the video encoders (namely, Conexant CX25871 and Focus FS454) also have extensive scaling and filtering functionality, which allows for [https://web.archive.org/web/20100617022211/http://scanline.ca/overscan/ overscan compensation] in desktop-style "TV out" usage. (This means that the GPU can output ordinary VGA resolutions with VGA timings and the video encoder can convert them to SDTV resolutions with TV-style timings on the fly, adding borders around the image so that a projection of the VGA framebuffer image falls within the "safe area" of the video signal.) The capabilities of the Xcalibur chip, however, remain a mystery in this regard: it is not known whether it has a scaler. All video encoders are connected to (and controlled via) <a href="/web/20100617022211/http://www.xbox-linux.org/wiki/SMBus_Controller" title="SMBus Controller">I²C/SMBus</a>. === Conexant CX25871 === [https://web.archive.org/web/20100617022211/http://www.conexant.com:9000/cgi-bin/query?mss=srchprod&amp;pg=q&amp;i=IDXPRODSRCH&amp;q=cx25870 Conexant CX25871] is a close relative of the Brooktree BT868/BT869. There is also a sister model (CX25870) without the Macrovision capability. This chip was used in Xbox versions v1.0 through v1.3. If you follow the link, you will find a product brief and a complete data sheet, with register-level programming information. === Focus FS454 === [https://web.archive.org/web/20100617022211/http://www.focusinfo.com/solutions/catalog.asp?id=30 Focus FS454] was used in v1.4 (and possibly v1.5) Xboxes. There is also a sister model (FS453) without the Macrovision capability. The data sheet containing the necessary programming information is available from the manufacturer by separate request. Copies of it have also been seen floating around the net. === Xcalibur === The "Xcalibur" video encoder is a custom chip manufactured for Microsoft. It was first used in the Xbox hardware revision 1.6. The Xbox-Linux support the Xcalibur video encoders is very limited at present (see <a href="/web/20100617022211/http://www.xbox-linux.org/wiki/Xbox_v1.6_Issues" title="Xbox v1.6 Issues">Xbox v1.6 Issues</a>). The reason for this is that there is, at least currently, no official programming documentation available for this chip. It seems the only way to find out more is through reverse-engineering techniques. Xboxes that contain the Xcalibur encoder have the firmware ROM and the PIC physically integrated into another MS-specific chip, named Xyclops. c8c82d0bd507c7a97db76367aec50adc0b495b09 0 3767 5994 5588 2017-08-24T18:40:11Z JayFoxRox 2 Moved to seperate page wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview}} The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == The CPU is a standard Pentium III Coppermine mobile at 733 MHz. This CPU has been found to be a modified Pentium III, as it has many of the features a Celeron lacks. Therefore, it can be classified as a Pentium III with a smaller cache. (Regular has 256kb or more, XBox has 128kb) == Flash ROM == The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MB; 0xFFFC0000, if the ROM is 256 KB) into the but the Xbox kernel. == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == The PIC16LC is a small 8 bit processor running at 20 MHz with its own ROM, RAM and I/O lines. It controls: * Power button * Eject button * Power/error LED * DVD tray status (through extra pins to DVD drive) * Video cable type (3 pins) The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. == Video Encoder == See [[Video Encoder]] == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == The Serial EEPROM holds some settings, such as time zone, language, IP address etc., as well as the hard disk key and the Xbox serial number. == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == The Xbox graphics hardware is VGA compatible and very similar to existing nVidia graphics cards. = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting 42026be494ce08bdf4e5162932c7acefe3716b66 5996 5994 2017-08-25T13:40:28Z JayFoxRox 2 /* Serial EEPROM */ wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview}} The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == The CPU is a standard Pentium III Coppermine mobile at 733 MHz. This CPU has been found to be a modified Pentium III, as it has many of the features a Celeron lacks. Therefore, it can be classified as a Pentium III with a smaller cache. (Regular has 256kb or more, XBox has 128kb) == Flash ROM == The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MB; 0xFFFC0000, if the ROM is 256 KB) into the but the Xbox kernel. == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == The PIC16LC is a small 8 bit processor running at 20 MHz with its own ROM, RAM and I/O lines. It controls: * Power button * Eject button * Power/error LED * DVD tray status (through extra pins to DVD drive) * Video cable type (3 pins) The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. == Video Encoder == See [[Video Encoder]] == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == See [[EEPROM]] == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == The Xbox graphics hardware is VGA compatible and very similar to existing nVidia graphics cards. = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting 0d6db561bbe01d5efb365f3ea538073f3dc1b6ac 5998 5996 2017-08-25T13:42:54Z JayFoxRox 2 /* PIC16LC */ wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview}} The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == The CPU is a standard Pentium III Coppermine mobile at 733 MHz. This CPU has been found to be a modified Pentium III, as it has many of the features a Celeron lacks. Therefore, it can be classified as a Pentium III with a smaller cache. (Regular has 256kb or more, XBox has 128kb) == Flash ROM == The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MB; 0xFFFC0000, if the ROM is 256 KB) into the but the Xbox kernel. == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == See [[System Management Controller]] == Video Encoder == See [[Video Encoder]] == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == See [[EEPROM]] == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == The Xbox graphics hardware is VGA compatible and very similar to existing nVidia graphics cards. = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting 57487829a83dcf218c886144b44d57746b4bdb1e 6000 5998 2017-08-25T13:45:18Z JayFoxRox 2 /* Flash ROM */ wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview}} The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == The CPU is a standard Pentium III Coppermine mobile at 733 MHz. This CPU has been found to be a modified Pentium III, as it has many of the features a Celeron lacks. Therefore, it can be classified as a Pentium III with a smaller cache. (Regular has 256kb or more, XBox has 128kb) == Flash ROM == See [[Flash ROM]] == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == See [[System Management Controller]] == Video Encoder == See [[Video Encoder]] == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == See [[EEPROM]] == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == The Xbox graphics hardware is VGA compatible and very similar to existing nVidia graphics cards. = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting 257ae61a0b93923c14b2eb772cd182263f941460 6005 6000 2017-08-25T13:54:01Z JayFoxRox 2 /* Intel Pentium III CPU */ wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview}} The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == See [[CPU]] == Flash ROM == See [[Flash ROM]] == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == See [[System Management Controller]] == Video Encoder == See [[Video Encoder]] == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == See [[EEPROM]] == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == The Xbox graphics hardware is VGA compatible and very similar to existing nVidia graphics cards. = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting df4672bbb978ae7018e7a9db0fcce6845559be2f 6007 6005 2017-08-25T13:55:53Z JayFoxRox 2 /* NV2A GeForce3 Integrated GPU */ wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/Xbox_Hardware_Overview}} The Xbox is a standard PC, based on standard components, but extended with a some security solutions. This document gives an overview of the components the Xbox is made of. = Overview = Viewed by connection (similar to the Windows 2000 Device Manager view), the Xbox system hardware looks like this: Diagram modified by Fahad <pre>Xbox V1.0-1.5 | |-- Mobile Intel Pentium III 733mHz w/128kb Cache | |-- Flash ROM (V1.0/1.1 - | \-- PCI bus | |-- Programmable Interrupt Controller | |-- System Timer | |-- DMA Controller | |-- PCI Bridge Device - Host Bridge (0:0:0, 0x2a5) | |-- Memory Controller - SDRAM - Samsung K4D263238M-QC50 133mHz 16mb (0:0:3, 0x2a6) | | | |-- Top of Motherboard | | | | | |-- Pad 1 (closest to power connector) (empty) | | | | | |-- Pad 2 (left of Pad 1) | | | | | |-- Pad 3 (below Pad 4) | | | | | \-- Pad 4 (closest to AV connector) (empty) | | | \-- Bottom of Motherboard | | | |-- Pad 5 (paralell to Pad 1) (empty) | | | |-- Pad 6 (paralell to Pad 2) | | | |-- Pad 7 (paralell to Pad 3) | | | \-- Pad 8 (paralell to Pad 4) (empty) | |-- HUB Interface - ISA Bridge (0:1:0, 0x1b2) [nForce] | |-- SMBus Controller (0:1:1, 0x1b4) [nForce] | | | |-- PIC16LC | | | |-- Conexant 25871/Focus 454/Xcalibur Video Encoder | | | |-- ADM1032 System Temperature Monitor | | | \-- Serial EEPROM | |-- OHCI USB Controller (0:2:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 1 &amp; 2) | |-- OHCI USB Controller (0:3:0, 0x1c2) [nForce] | | | \-- USB HUB (Controller Ports 3 &amp; 4) | |-- MCP-X V3 Southbridge | | | |-- MCP Networking Adapter (0:4:0, 0x1c3) [nForce] | | | \-- MCP APU (0:5:0, 0x1b0) [nForce] | |-- AC`97 Audio Codec Interface (0:6:0, 0x1b1) [nForce] | |-- Simple Communication Controller - Generic Modem (0:6:1, 0x1c1) [???] | |-- IDE Controller (0:9:0, 0x1bc) [nForce] | | | |-- Primary IDE Channel | | | | | |-- Seagate ST3210014ACE 10.2gb (8gb used)/Custom Western Digital WD80EB 8gb hard drive | | | | | \-- Custom Samsung/Phillips/Thompson/LG DVD Drive | | | \--- Secondary IDE Channel | |-- PCI Bridge (0:8:0, 0x1b8) [nForce] | \-- AGP Host to PCI Bridge (0:30:0, 0x1b7) [nForce] | \-- NV2A GeForce 3MX Integrated GPU/Northbridge 233mHz (1:0:0, 0x2a0) </pre> <br /> PCI devices have their Bus:Dev:Func numbers as well as the DevID printed next to them. PCI devices with "[nForce]" have the same DevIDs as their counterparts of the nForce chipset. A derivative of the Xbox chipset is also available as the PC chipset "nVidia nForce", which consists of a northbridge with the memory interface and the GPU and the southbridge with the PCI bus and its devices, just like the Xbox chipset. Many of the southbridge PCI devices are the same on both versions, i.e. they have the same DevID. = The Devices in Detail = == Intel Pentium III CPU == See [[CPU]] == Flash ROM == See [[Flash ROM]] == PCI bus, Host Bridge, ISA Bridge, AGP Host to PCI Bridge, Memory Controller == These devices are identical to the corresponding devices contained in the nForce chipset. The PCI bus can be accessed like on any PC. == Programmable Interrupt Controller, System Timer, DMA Controller == These legacy PC/AT system devices are fully PC-compatible, but the timer frequency is 6% higher than in a PC. == SMBus Controller == Some low-speed devices are connected through the SMBus, so the southbridge contains an SMBus controller, compatible to the SMBus controller in the nVidia nForce chipset. Since nForce is based on AMD's original chipset for Athlon CPUs, the SMBus controller is AMD-756 compatible. == PIC16LC == See [[System Management Controller]] == Video Encoder == See [[Video Encoder]] == ADM1032 System Temperature Monitor == The Analog Devices ADM1032 is an SMBus device that does temperature measurement. == Serial EEPROM == See [[EEPROM]] == OHCI USB Controller, IDE Controller == These devices are compatible to standard PC devices. == MCP Networking Adapter, MCP APU, Audio Codec Interface == These are identical with the nForce devices. == Simple Communication Controller - Generic Modem == Nothing is known about the purpose of this device. It never gets used by the Xbox system software. It is probably there, because the nForce has a PCI softmodem, but in the Xbox, the corresponding lines of the Southbridge don't seem to be connected. == NV2A GeForce3 Integrated GPU == See [[GPU]] = Further Information = Information about all chips and links to technical documentation can be found at [https://web.archive.org/web/20100617022211/http://www.console-dev.com/xbox.htm Pixel8's site] somehting 5b43305a92045d7f31efa682925403d4c08b0747 0 3742 5995 5990 2017-08-25T04:49:48Z KaosEngineer 2482 /* Contents */ Standard Timezone Start address wrong 5C should have been 6C wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 536452bc6cdfcc98efe2b54594d2940c7536fc4c 6008 5995 2017-08-25T14:04:51Z JayFoxRox 2 /* Further Reading */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xA8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 8b429162c2014566d8f6ce69e35432e81a5f5e5b 6009 6008 2017-08-25T14:25:59Z KaosEngineer 2482 /* Contents */ Other XBLive settings? typo 0xA8 should be 0xB8 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** 0x00014000 = NTSC, 0x00038000 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] fe261993c77b833c72c270d3436265a918edb525 6010 6009 2017-08-25T15:01:59Z KaosEngineer 2482 /* Contents */ 0x58-0x5B Video Standard missing NTSC-J value and the byte ordering wrong should be for little endian not big endian - values for all three standards modified and added as needed. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | ** Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] cfcbdfeefa707d092f69507b7bc1c15bcca44c75 6011 6010 2017-08-25T15:02:36Z KaosEngineer 2482 /* Contents */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | 0=MAX rating |- | 0xA0 | 0xA3 | 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | 0=Max rating |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] d5bdd14e51ca839d67dfe17b52bbf2544b3fd2f3 6012 6011 2017-08-25T15:14:01Z KaosEngineer 2482 /* Contents */ Offset 0x93-0xA7 - Three (3) Parental Control entry descriptions updated. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | other Checksum of next |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 20143c427488f4e78da39aa5ae0d5e0a928bfcda 6014 6012 2017-08-25T15:27:19Z KaosEngineer 2482 /* Contents */ Checksum2 and Checksum3 descriptions updated wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Bias? |- | 0x8C | 0x8F | Daylight Bias? |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] d5754ea5394f26c589b6800216998877642c55c8 6016 6014 2017-08-25T15:52:08Z KaosEngineer 2482 /* Contents */ 0x78 Start Standard Time, 0x7C Start Daylight Saving Time Descriptions Updated wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias - Offset in # minutes from GMT |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 18cfa69438d03aa1d2646957396c67cd4e943ae8 6017 6016 2017-08-25T16:12:40Z KaosEngineer 2482 /* Contents */ 0x94-0x97 Video Settings Description updated wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias? |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias - Offset in # minutes from GMT |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 25ccf3779db1c39a373bab55aedfedd65c126c21 6018 6017 2017-08-25T20:56:21Z KaosEngineer 2482 /* Contents */ 0x88-8B Standard time zone bias - description updated not sure what this is used for but Zone Bias is offset from GMT to subtract (PIC clock set to GMT ?) wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone |- | 0x6C | 0x6F | Daylight timezone |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias ? |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 5e2eecaea9f92a63ab9d8281a43d1659147968bf 6019 6018 2017-08-25T21:02:49Z KaosEngineer 2482 /* Contents */ 0x68 and 0x6C description update for timezone strings wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone - NULL terminated length 3 string (e.g., CST\0) |- | 0x6C | 0x6F | Daylight timezone - NULL terminated length 3 string (e.g., CDT\0) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias ? (0x00000000) |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 419c01b6c4ea32a71d3fa465d1df30f62338b09d 6020 6019 2017-08-25T21:27:23Z KaosEngineer 2482 /* The Serial Number */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone - NULL terminated length 3 string (e.g., CST\0) |- | 0x6C | 0x6F | Daylight timezone - NULL terminated length 3 string (e.g., CDT\0) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias ? (0x00000000) |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 |\____/ ||||| | | ||||| | | |||||___ factory number (2 digits - 02 = Mexico, 03=Hungary, 05=China, 06=Taiwan) | | ||| | | |||____ week of year (starting Mondays) (2 digits) | | |______ last digit of year | | | |_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] a7d9388857cdaf10ddfdff237f1fe5f7eec28f30 6021 6020 2017-08-25T21:28:34Z KaosEngineer 2482 /* The Serial Number */ reverted back to previous version wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone - NULL terminated length 3 string (e.g., CST\0) |- | 0x6C | 0x6F | Daylight timezone - NULL terminated length 3 string (e.g., CDT\0) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias ? (0x00000000) |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 419c01b6c4ea32a71d3fa465d1df30f62338b09d 6022 6021 2017-08-25T21:41:39Z KaosEngineer 2482 /* The Serial Number */ Testing wikimedia table generator format, adding in addition to current, can remove if it sucks! wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone - NULL terminated length 3 string (e.g., CST\0) |- | 0x6C | 0x6F | Daylight timezone - NULL terminated length 3 string (e.g., CDT\0) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias ? (0x00000000) |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 79fd20b604c5dcb24849c62c846b69ed53844506 6023 6022 2017-08-25T21:46:32Z KaosEngineer 2482 /* The Serial Number */ Added factory countries to wikimedia generator's table wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 156 bytes |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone - NULL terminated length 3 string (e.g., CST\0) |- | 0x6C | 0x6F | Daylight timezone - NULL terminated length 3 string (e.g., CDT\0) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias ? (0x00000000) |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST = Yes, 0xFFFFFFC4 (-60); if DST = No, 0x00000000 (0). |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 6b3679afa3a7cdda2e4be519fbe9fc1388e6e8d6 6035 6023 2017-08-27T00:13:31Z KaosEngineer 2482 /* Contents */ Corrections to a few entries, Checksum3 range, Standard Time zone bios, unknown region last 64 bytes (DO NOT modify content there) wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 bytes (0x64-0xBF) |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone - NULL terminated length 3 string (e.g., CST\0) |- | 0x6C | 0x6F | Daylight timezone - NULL terminated length 3 string (e.g., CDT\0) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias = if DST=No, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST=Yes, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A? see 10 too = Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] b8a3e03abc63519d4384ce76b2798b8d975c486a 6036 6035 2017-08-27T00:20:40Z KaosEngineer 2482 /* Contents */ there was an = should have been a ; for 0x88-0x8F offset standard time zone bias description wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 bytes (0x64-0xBF) |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes from GMT (0x0000168 = 360 = 6hr for GMT-06 Central) subtract value from GMT time |- | 0x68 | 0x6B | Standard timezone - NULL terminated length 3 string (e.g., CST\0) |- | 0x6C | 0x6F | Daylight timezone - NULL terminated length 3 string (e.g., CDT\0) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | if DST=Yes, Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x7C | 0x7F | if DST=Yes, Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour); otherwise do not change time |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if DST=No, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST=Yes, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96 value 0x4A? see 10 too = Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode - 4 button sequence - 7=X, 8=Y, B=LTrigger, C=RTrigger |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] eba4895291a91896047de5a6061a4114b3d93ade 6037 6036 2017-08-27T01:31:38Z KaosEngineer 2482 /* Contents */ Descriptions updated for timezone standard and daylight start dates, parental passcode, video settings reverted most to original as not what I was seeing still need to test more settings here. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 bytes (0x64-0xBF) |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard timezone - 4 character Standard TZ name; NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight timezone - 4 character Daylight TZ name; NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings; Offset 0x96, 0x??=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (0x07=X, 0x08=Y, 0x0B=LTrigger, 0x0C=RTrigger) (0 = disabled) |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 7c5ef9e071ce64e82178b06981d38de2a98b6fd3 6038 6037 2017-08-27T01:35:04Z KaosEngineer 2482 /* Contents */ standard and daylight timezone name descriptions reworded (shortened) wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 bytes |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | **Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 bytes (0x64-0xBF) |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings; Offset 0x96, 0x??=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (0x07=X, 0x08=Y, 0x0B=LTrigger, 0x0C=RTrigger) (0 = disabled) |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] f79e1b2f47223ca1279e8d527f312b6e747853c6 0 3748 5997 5491 2017-08-25T13:42:33Z JayFoxRox 2 wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. It is also the hardware which is connected to the Power and Eject buttons. The PIC is running at 20 MHz with its own ROM, RAM and I/O lines. The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. It is connected via I²C and located on address 0x10. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 * P2L{{citation needed}} * D01 (Seen in a debug kit) bcc9662997931149d4c1a738e196e4651dfacff6 0 3762 5999 5637 2017-08-25T13:44:57Z JayFoxRox 2 wikitext text/x-wiki The Flash is a 256 kiB or 1 MiB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the [[MCPX]] via the <abbr title="Low Pin Count">LPC</abbr> bus. The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MiB; 0xFFFC0000, if the ROM is 256 kiB) into the but the Xbox kernel. For the content of the Microsoft flash images see [[BIOS]]. 9269e690a1068100a9bdb65a43bb0618aaf59899 6001 5999 2017-08-25T13:45:41Z JayFoxRox 2 JayFoxRox moved page [[Flash]] to [[Flash ROM]] without leaving a redirect wikitext text/x-wiki The Flash is a 256 kiB or 1 MiB non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip and connected to the [[MCPX]] via the <abbr title="Low Pin Count">LPC</abbr> bus. The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MiB; 0xFFFC0000, if the ROM is 256 kiB) into the but the Xbox kernel. For the content of the Microsoft flash images see [[BIOS]]. 9269e690a1068100a9bdb65a43bb0618aaf59899 0 1 6002 5956 2017-08-25T13:46:01Z JayFoxRox 2 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] b40900fb292908e0e52b1bd7e714f07a7acc12e6 0 3674 6003 5709 2017-08-25T13:46:35Z JayFoxRox 2 wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. On Debug Xboxs and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFE000000 |- |APU Registers |colspan="2"|0xFE800000 - 0xFE880000 |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC01000 |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED01000 |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED09000 |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF00400 |- |[[Flash]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory(location + 1) << 8 | get_memory(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 401a84491ea2a9de87829e025ec77b7dbe21f965 0 3672 6004 5855 2017-08-25T13:47:47Z JayFoxRox 2 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash ROM]]. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === Unknown === From 0x00000000 - 0x0000007F Not sure what this does. Some people think it might be involved with initialising the [[MCPX]]{{citation needed}}. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM{{citation needed}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 97c4e2c6f52b4393804a7870aa51e7b19f75ddd1 0 3681 6006 5921 2017-08-25T13:54:32Z JayFoxRox 2 wikitext text/x-wiki The CPU in the Xbox was a custom Pentium III running at 733MHz. The 'custom' part of this was that that the Pentium III in the Xbox was that it had only 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] (This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. * [https://www.google.com/patents/US20050282621 CPU upgrading adapter for a Microsoft XboxTM game machine] US Patent Application 20050282621 by Friendtech, filed 2003-08-21. 753ed527b2f41e89f7449f005166ac42312fb7be 0 3756 6013 5483 2017-08-25T15:20:15Z Codeasm 2480 Added motherboard part table based on source, and usb wikitext text/x-wiki [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] == Mainboard == The following table is based on a Xbox 1.0{{citation needed}} retail board {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} Only the 1.0 and 1.2(?) {{citation needed}} had a USB daugtherboard {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm] 7433faf7e8c4e8007c287ec8fc67bcc567c5502c 6015 6013 2017-08-25T15:48:24Z Codeasm 2480 Changed USB daugtherboard detail and added credit wikitext text/x-wiki [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] == Mainboard == The following table is based on a Xbox 1.0{{citation needed}} retail board and credits go to PiXEL8 {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} Only the 1.0 and 1.1 {{citation needed}} had a USB daugtherboard {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm] 9853361e799d2d9817879fcfc7a19afaf462282d 0 3768 6024 5986 2017-08-26T08:42:24Z Akspa 2493 /* X08-25387 (PCB: "IR DONGLE REV B") */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== {{FIXME|reason=See http://wiki.tolabaki.gr/mediawiki/images/d/db/Xbox_rc_vanilla.jpg . Needs more pics}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 3299154ce8249e3b5c1a6934d53142ffc52794b3 6025 6024 2017-08-26T08:45:17Z Akspa 2493 /* X08-25387 (PCB: "IR DONGLE REV B") - added images of frontside PCB */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== {{FIXME|reason=See http://wiki.tolabaki.gr/mediawiki/images/d/db/Xbox_rc_vanilla.jpg . Needs more pics}} [[File:IR_DONGLE_REV_B.jpeg|thumb|200px|Frontside(Initial)]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|TSOP]] ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 80e2cfa6b5dd0c1562c350385af67aa3047acaf8 6028 6025 2017-08-26T08:46:35Z Akspa 2493 /* X08-25387 (PCB: "IR DONGLE REV B") - reduced to a single image with part numbers */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|FrontPCB]] ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 814bd58dfd34cc6695e8fe6eb6bf5a272ad9ee91 6029 6028 2017-08-26T08:48:36Z Akspa 2493 /* X08-25387 (PCB: "IR DONGLE REV B") */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|FrontPCB]] * U3 MX23C4000TC-10 ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] de8dfc190952e14dfa6292ce904ff75c21e48ffd 6030 6029 2017-08-26T08:50:05Z Akspa 2493 /* X08-25387 (PCB: "IR DONGLE REV B") */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== * U3 MX23C4000TC-10 [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of "IR DONGLE REV B"]] ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 067554e381eb6e687a60223df43e0d5c61e55f4d 6032 6030 2017-08-26T08:53:24Z Akspa 2493 /* X08-25387 (PCB: "IR DONGLE REV B") - Sticker */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|IR Dongle Rev B Sticker]] * U3 MX23C4000TC-10 [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of "IR DONGLE REV B"]] ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 50ee9c3987b970e9f6a21bd06bee35c247b8bae9 6033 6032 2017-08-26T08:59:15Z Akspa 2493 /* Components */ wikitext text/x-wiki ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 85fd2bb5a8ac1e44e4ccef5c752b9f64a5dcf77a 6040 6033 2017-08-27T04:00:19Z DaveX 2487 wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || || || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 4cc61798c03f0caa871384fdd324c926e2195ea7 6 3834 6026 2017-08-26T08:45:29Z Akspa 2493 Image of front of pcb wikitext text/x-wiki Image of front of pcb 0d18e5a024069da59e392aebdd4fd93d96d82d78 6 3835 6027 2017-08-26T08:45:33Z Akspa 2493 Front of PCB with TSOP part numbers visible wikitext text/x-wiki Front of PCB with TSOP part numbers visible b87e521efe6509bdd3151c1a14bec289e05cbd27 6 3836 6031 2017-08-26T08:52:37Z Akspa 2493 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2 3837 6034 2017-08-26T09:14:26Z Akspa 2493 Created page with "Been tinkering with Xbox stuff since 2001. Be it hardware, software, or otherwise. Under different usernames, I've been involved in: Xbox Linux dev, halo map modding (and some..." wikitext text/x-wiki Been tinkering with Xbox stuff since 2001. Be it hardware, software, or otherwise. Under different usernames, I've been involved in: Xbox Linux dev, halo map modding (and some corresponding GUI tools), softmod updated repacks, and lots of really badly thought-out potential attack points to exploit the xbox security system. I've attempted getting the Xbox Alpha Kit software running under virtualization, going as far as to edit the system xbe's in order to skip over nvidia hardware checks, without knowing anything about opcodes and the like (and likely, xbe/exe signatures, which just dawned on me this moment). I've kept my xbox's alive for the past 14 years, and still have a decent library of Xbox and Xbox 360 discs. 0c5d7b8307fd9de5c8a212c942f05c1df4fa0c00 6 3838 6039 2017-08-27T03:58:54Z DaveX 2487 Author: "Evan Amos Vanamo Media" Copyright holder: "Public Domain" wikitext text/x-wiki Author: "Evan Amos Vanamo Media" Copyright holder: "Public Domain" 7996318047cddcf91cafc0449dca2bb3b3fcadc9 0 3707 6041 5729 2017-08-28T02:25:03Z KaosEngineer 2482 /* Models */ Added a few models from data I'd saved from working on Xbox's (I need to better compile my data in a spreadsheet/database. Looking through all these files takes too long.) wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Models == {| class="wikitable |- ! Xbox Version ! Manufacturer ! Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] 1b9ef96a99e9249ed3aa7832c634231e65348ff2 6042 6041 2017-08-28T02:25:34Z KaosEngineer 2482 /* Models */ wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Models == {| class="wikitable |- ! Xbox Version ! Manufacturer ! Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] d84ed4572218894fee3df335d806ad29ee9b3f27 6043 6042 2017-08-28T08:19:59Z JayFoxRox 2 /* Partitions */ wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Models == {| class="wikitable |- ! Xbox Version ! Manufacturer ! Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] d65ef617f6b068352d8a175594e3a00d4ad217a7 0 3742 6044 6038 2017-08-28T12:46:12Z KaosEngineer 2482 /* Contents */ ConfigMagic-Final-1.6 EEPROM Checksum anomalies (wrong value for size parameter to QuickCRC function call). wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings; Offset 0x96, 0x??=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (0x07=X, 0x08=Y, 0x0B=LTrigger, 0x0C=RTrigger) (0 = disabled) |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 used the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 was correct since the extra 4 bytes not used in the CRC computation were all 0's which would not change the computed CRC value. However, Simliar problem with computation of Checksum3, the extra 4 bytes used are all 0's on all but v1.6 Xbox's. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 60de86e768dd85bedfcbeb9c9449dba5fa240d76 6045 6044 2017-08-28T12:48:59Z KaosEngineer 2482 /* Contents */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings; Offset 0x96, 0x??=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (0x07=X, 0x08=Y, 0x0B=LTrigger, 0x0C=RTrigger) (0 = disabled) |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 used the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The extra 4 bytes used are all 0's on all but v1.6 Xbox's. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] e4d606da02409caf7e0f40b247b58fe8a980ef02 6046 6045 2017-08-28T12:51:56Z KaosEngineer 2482 /* Contents */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe) |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings; Offset 0x96, 0x??=Normal, 0xB0=Widescreen and 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0=MAX rating) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (0x07=X, 0x08=Y, 0x0B=LTrigger, 0x0C=RTrigger) (0 = disabled) |- | 0xA4 | 0xA7 | Parental Control Movies (0=Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 81df1948d4845ec49204d8007758bfa078651256 6051 6046 2017-08-28T13:41:09Z JayFoxRox 2 Cleanup wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Parental Control Games (0 = Max rating) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence * 0x07 = {{input-x}} * 0x08 = {{input-y}} * 0x0B = {{input-lt}} * 0x0C = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} |- | 0xA4 | 0xA7 | Parental Control Movies (0 = Max rating) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] b4c2ee1862d32bc60d57811f260776f9a632cdcc 6091 6051 2017-08-29T16:50:07Z KaosEngineer 2482 /* Contents */ Update Movie and Game parental control level notes only 1 byte needed remaining 3 for proper 4-byte alignment of data (32-bit boundary), also parental pass code saved in 2 bytes doesn't need all 4. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble not byte) * 0x01 = {{input-up}} * 0x02 = {{input-down}} * 0x03 = {{input-left}} * 0x04 = {{input-right}} * 0x07 = {{input-x}} * 0x08 = {{input-y}} * 0x0B = {{input-lt}} * 0x0C = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note: EEPROM offset 0xA0: 23 14 00 00 Little Endian value 0x00001423. The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 97d1e1561e1d4313570271e00809fba7693c10fc 6092 6091 2017-08-29T16:56:34Z KaosEngineer 2482 /* Contents */ formatting of Note on pass code storage in a word (2-bytes) not 4 (remaining 2 for even 32-bit data alignment) wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble not byte) * 0x01 = {{input-up}} * 0x02 = {{input-down}} * 0x03 = {{input-left}} * 0x04 = {{input-right}} * 0x07 = {{input-x}} * 0x08 = {{input-y}} * 0x0B = {{input-lt}} * 0x0C = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: 23 14 00 00 * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 882d2da9ddb02a0039f3c472dd61473877694b17 6093 6092 2017-08-29T17:03:01Z KaosEngineer 2482 /* Contents */ 0xA0 Note formatting still no quite right trying to get a list inside the Note box 1 space before each line but the * doesn't make a list inside wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble not byte) * 0x01 = {{input-up}} * 0x02 = {{input-down}} * 0x03 = {{input-left}} * 0x04 = {{input-right}} * 0x07 = {{input-x}} * 0x08 = {{input-y}} * 0x0B = {{input-lt}} * 0x0C = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: 23 14 00 00 * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 7fba14545ef8aaa0587d176d21181829d7c91110 6094 6093 2017-08-29T21:55:01Z JayFoxRox 2 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: 23 14 00 00 * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 4f7166aefb6a7b3c53c64d7fe7e3ee07979e4756 6095 6094 2017-08-29T22:00:01Z JayFoxRox 2 Fix formatting issue wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00 | None |- | 0x01 | Region 1 |- | ... | ... |- | 0x06 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 958f7c9177c139b7ac05bf6dfa1ca5b4c53b6d4c 6096 6095 2017-08-29T22:03:51Z JayFoxRox 2 DWORD should imply 4 byte wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 1 | North America |- | 2 | Japan |- | 4 | Europe/Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 0b26312bf181d0e3b1d71f8dbd8e795f140c72e2 6097 6096 2017-08-29T22:04:22Z JayFoxRox 2 DWORD should imply 4 byte wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 5279aa38d075bdc4535ab62911b2d31f1a1a13c7 10 3839 6047 2017-08-28T13:39:02Z JayFoxRox 2 Created page with "X-Button" wikitext text/x-wiki X-Button bad91d311f01eb615dc96ea0f090a1349214b11b 10 3840 6048 2017-08-28T13:39:09Z JayFoxRox 2 Created page with "Y-Button" wikitext text/x-wiki Y-Button 685ca0c76a5e11062452343edb0444399602966b 10 3841 6049 2017-08-28T13:39:16Z JayFoxRox 2 Created page with "Left-Trigger" wikitext text/x-wiki Left-Trigger 07be225e1046b8c5b1ddef8121b445cc888c053b 10 3842 6050 2017-08-28T13:39:23Z JayFoxRox 2 Created page with "Right-Trigger" wikitext text/x-wiki Right-Trigger 77e800e462d20481e2a77feb2a72397f4a2b65e7 10 3843 6052 2017-08-28T13:42:11Z JayFoxRox 2 Created page with "A-Button" wikitext text/x-wiki A-Button 1d4e1d655b048a41b90622e8b3c9647d162d1e64 10 3844 6053 2017-08-28T13:42:20Z JayFoxRox 2 Created page with "B-Button" wikitext text/x-wiki B-Button 5010e317dbe33e5eeaf82aa4597b4b74d7a68e45 10 3845 6054 2017-08-28T13:48:15Z JayFoxRox 2 Created page with "Digital-Pad-Up" wikitext text/x-wiki Digital-Pad-Up e76f3cb45774278b5e6bb99e7fd82820affaa682 10 3846 6055 2017-08-28T13:48:26Z JayFoxRox 2 Created page with "Digital-Pad-Down" wikitext text/x-wiki Digital-Pad-Down 1b2c2d2669665958c92cc72eda77e0a2571fa1e8 10 3847 6056 2017-08-28T13:48:38Z JayFoxRox 2 Created page with "Digital-Pad-Vertical" wikitext text/x-wiki Digital-Pad-Vertical 39e96e22c596ee1c6c37dd8586c3391a00ea2f3b 10 3848 6057 2017-08-28T13:48:48Z JayFoxRox 2 Created page with "Digital-Pad-Horizontal" wikitext text/x-wiki Digital-Pad-Horizontal c2eb34da9f70feecabef7fa5859080b385632d8a 10 3849 6058 2017-08-28T13:48:56Z JayFoxRox 2 Created page with "Digital-Pad-Left" wikitext text/x-wiki Digital-Pad-Left 659cb63da6425b0ee0e0c340d6fd927ba80599d1 10 3850 6059 2017-08-28T13:49:04Z JayFoxRox 2 Created page with "Digital-Pad-Right" wikitext text/x-wiki Digital-Pad-Right ef99efa1a042bbbc54ed3e4ed1a4195d085095b4 10 3851 6060 2017-08-28T13:49:28Z JayFoxRox 2 Created page with "Left-Thumbstick-Press" wikitext text/x-wiki Left-Thumbstick-Press 24b9bc2db80c5d165d74b3d1d359699c6c6f712c 10 3852 6061 2017-08-28T13:49:37Z JayFoxRox 2 Created page with "Left-Thumbstick-Horizontal" wikitext text/x-wiki Left-Thumbstick-Horizontal 1c1050637c0fc018a58c8197554ebf6984cce186 10 3853 6062 2017-08-28T13:49:47Z JayFoxRox 2 Created page with "Left-Thumbstick-Left" wikitext text/x-wiki Left-Thumbstick-Left 2c18158e3df41d4e8d29f48b1c899c088ef6f271 10 3854 6063 2017-08-28T13:49:57Z JayFoxRox 2 Created page with "Left-Thumbstick-Right" wikitext text/x-wiki Left-Thumbstick-Right 4ad6c46904a9c0d7d8539c1aee9f2447ec0f2143 10 3855 6064 2017-08-28T13:50:09Z JayFoxRox 2 Created page with "Left-Thumbstick-Vertical" wikitext text/x-wiki Left-Thumbstick-Vertical b82b3ecb6a3e627598ce96d0e62bf55f94d43f8f 10 3856 6065 2017-08-28T13:50:25Z JayFoxRox 2 Created page with "Left-Thumbstick-Up" wikitext text/x-wiki Left-Thumbstick-Up f1bf9a39ebc6ba3e95eb4581ed6c11dc947f52c7 10 3857 6066 2017-08-28T13:50:36Z JayFoxRox 2 Created page with "Left-Thumbstick-Down" wikitext text/x-wiki Left-Thumbstick-Down 72d6d576457509b288714162a58e2458184baf5b 10 3858 6067 2017-08-28T13:50:50Z JayFoxRox 2 Created page with "Right-Thumbstick-Press" wikitext text/x-wiki Right-Thumbstick-Press 8275f42a29aaaf8bb3ef27c7f28bbba3e05641dc 10 3859 6068 2017-08-28T13:51:01Z JayFoxRox 2 Created page with "Right-Thumbstick-Horizontal" wikitext text/x-wiki Right-Thumbstick-Horizontal ddb9c26861325cb3d5bdef15d1678273fe15df2a 10 3860 6069 2017-08-28T13:51:11Z JayFoxRox 2 Created page with "Right-Thumbstick-Left" wikitext text/x-wiki Right-Thumbstick-Left c9ab59bc45eb3702afb0cf1df2916bb0104dc638 10 3861 6070 2017-08-28T13:51:22Z JayFoxRox 2 Created page with "Right-Thumbstick-Right" wikitext text/x-wiki Right-Thumbstick-Right 7f9c46b880fbeb6473e4253c81855051a005b871 10 3862 6071 2017-08-28T13:51:44Z JayFoxRox 2 Created page with "Right-Thumbstick-Vertical" wikitext text/x-wiki Right-Thumbstick-Vertical 93b22a766d76fa6eb64a873ee9b42b0375e8080e 10 3863 6072 2017-08-28T13:51:58Z JayFoxRox 2 Created page with "Right-Thumbstick-Down" wikitext text/x-wiki Right-Thumbstick-Down 620f00dc512aeece238038daa3353b9d6e9bd06d 10 3864 6073 2017-08-28T13:52:06Z JayFoxRox 2 Created page with "Right-Thumbstick-Up" wikitext text/x-wiki Right-Thumbstick-Up d326ff540175353f58c4c8d2154fc781a236ac53 10 3865 6074 2017-08-28T13:52:15Z JayFoxRox 2 Created page with "Black" wikitext text/x-wiki Black b406fb57b29fc76f71864fbb37f0238045f84d9d 6077 6074 2017-08-28T13:52:48Z JayFoxRox 2 wikitext text/x-wiki Black-Button c62794bfd8d9590b52146d852cb253634747a664 10 3866 6075 2017-08-28T13:52:23Z JayFoxRox 2 Created page with "White" wikitext text/x-wiki White 37619fc13053f82b7cb7da3d24ceb1598ab6d05c 6078 6075 2017-08-28T13:52:58Z JayFoxRox 2 wikitext text/x-wiki White-Button a49c0550c5f97454b2f2f85c7e166f8bdd74a5ed 10 3867 6076 2017-08-28T13:52:40Z JayFoxRox 2 Created page with "Start-Button" wikitext text/x-wiki Start-Button 936f0136c0c43b729e0c1656cdbd25da4eb7474a 10 3868 6079 2017-08-28T13:53:08Z JayFoxRox 2 Created page with "Back-Button" wikitext text/x-wiki Back-Button 33ecbf96046c5572ee5faa39d3720a10e7e58ec0 0 11 6080 5988 2017-08-28T13:54:46Z JayFoxRox 2 /* Controller to Xbox */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || A || rowspan="4" | Digital only, either 0 or 255 |- | Grip || B |- | A || X |- | B || Y |- | START || Start || |- | SE/BA || Back || |- | Aim Left / Right || Negative / Positive on left thumbstick X axis || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || Positive / Negative on left thumbstick Y axis |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps A pressed while trigger is held * Turbo mode 1 toggles A rapidly while trigger is held * Turbo mode 2 toggles A rapidly and once in a while B while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 832a7e638f06dc169cfb5e8433ce596a42388217 6084 6080 2017-08-28T13:57:55Z JayFoxRox 2 Use button templates wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || Directional Pad || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 72bfc406062889ffb8731bab30956b305162ffbe 6085 6084 2017-08-28T13:58:19Z JayFoxRox 2 /* EMS TopGun II */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] bd781c76f81217a7627e10d3e772f83e0b8f660e 10 3869 6081 2017-08-28T13:55:32Z JayFoxRox 2 Created page with "Digital-Pad" wikitext text/x-wiki Digital-Pad 026b3e735d4027c1e4342aa372f2093469267c50 10 3870 6082 2017-08-28T13:55:41Z JayFoxRox 2 Created page with "Right-Thumbstick" wikitext text/x-wiki Right-Thumbstick 47623753d7c2a775184ca392b7ee44edea3707b4 10 3871 6083 2017-08-28T13:55:52Z JayFoxRox 2 Created page with "Left-Thumbstick" wikitext text/x-wiki Left-Thumbstick fa832ea928026a4e7d440f306c109a4ffee96fdf 0 3768 6086 6040 2017-08-28T20:35:53Z Codeasm 2480 /* Known versions */ Im almost sure its region 2 (X08-25402-002) but ill dump the Rom tomorow wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || ||2 || || || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}} ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 85c08c31dbc430347f2437eda60a9df0133eb5d9 1 3743 6098 5427 2017-08-29T22:06:07Z JayFoxRox 2 /* Redundant information */ new section wikitext text/x-wiki == Chihiro key == Wouldn't we consider crypto-keys "dodgy shit"? Why is this here? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:49, 25 May 2017 (PDT) == Redundant information == Some values are explained in the table, others are explained below. We should figure out where to put this. I think putting it in the table makes more sense. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 15:06, 29 August 2017 (PDT) 0e75e9e4588f3b1db1bc486c918ea3861dc66596 0 3831 6099 5981 2017-08-30T02:02:11Z CobaltHex 2492 added specimin image wikitext text/x-wiki xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. {{Sidebar | name = Xtf | title = Xtf Font Format | image = [[File:http://i.imgur.com/u2P069H.png]] === File format === {{FIXME}} a4570b034e4291d080f3fe7ab93dded897936319 6100 6099 2017-08-30T02:02:42Z CobaltHex 2492 wikitext text/x-wiki xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. {{Sidebar | name = Xtf | title = Xtf Font Format | image = [[File:http://i.imgur.com/u2P069H.png]] }} === File format === {{FIXME}} 29c5ace84e29273943468b13ef92969eafc3bd4d 6101 6100 2017-08-30T02:03:58Z CobaltHex 2492 wikitext text/x-wiki [[File:http://i.imgur.com/u2P069H.png|thumb|200px|Remote and Receiver]] xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. === File format === {{FIXME}} 2995b01f7939539a2fc3c2ee0616f061b966203a 6103 6101 2017-08-30T02:10:37Z CobaltHex 2492 wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. === File format === {{FIXME}} 743b4c73c5233a6c2917b51e24e94caee2b01d08 6 3876 6102 2017-08-30T02:10:07Z CobaltHex 2492 Xbox Dashboard font specimen (Copyright Ascender Corp, Microsoft) wikitext text/x-wiki Xbox Dashboard font specimen (Copyright Ascender Corp, Microsoft) dc63773c54b0e007fdf1ec84fce43aabb4062ba4 0 3742 6104 6097 2017-08-30T03:32:59Z KaosEngineer 2482 /* Contents */ Zone Bias 0x64-0x67 example hex value was missing a leading 0 - 0x0000168 to 0x00000168 (not that it changes the value just show fill of all 4-bytes) wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x01), right (0x04), down (0x02), left (0x03). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] dd3ce94b9468adf9963869de44957cc5b0d4685a 6112 6104 2017-08-30T12:23:07Z KaosEngineer 2482 /* Contents */ Removed leading 0's in notes for example pass code values. Matches with nibble values format above the notes. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Chip Models == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] b85278a5e17465b394e84ba5ffdd2a41bc74ac65 0 3683 6105 5911 2017-08-30T08:43:06Z KaosEngineer 2482 /* Stage 1: Key Scheduling */ Address range for s[] incorrect 0x8F000 to 0x850FF should be 0x8F000 to 0x8F0FF wikitext text/x-wiki This article describes the boot sequence of the Xbox. A large portion of it is patended in [https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US6907522.pdf Patent "US 6,907,522 B2"] == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8F000 to 0x8F0FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Weird stuff 3 ==== {{FIXME|reason=Why?}} <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 5c3bf6b1e2aa531a4fc26bdc21816184833f0bdb 0 3756 6106 6015 2017-08-30T10:52:05Z Obcd 2489 wikitext text/x-wiki [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] == Mainboard == The following table is based on a Xbox 1.0{{citation needed}} retail board and credits go to PiXEL8 {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} Only the 1.0 and 1.1 {{citation needed}} had a USB daugtherboard Correction: only the 1.0 has the USB daughterboard, a GPU fan and the MCPX 1.0 {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm] f13025b042af0ba530135dfc537913e2acec3539 6107 6106 2017-08-30T11:22:55Z JayFoxRox 2 wikitext text/x-wiki For a list of differences between these mainboards, also see [[Hardware Revisions]]. == Xbox 1.0 == [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] The following table is based on a Xbox 1.0{{citation needed}} retail board. {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} === USB Daughterboard === {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == Xbox 1.1 == {{FIXME}} == Xbox 1.2 == {{FIXME}} == Xbox 1.3 == {{FIXME}} == Xbox 1.4 == {{FIXME}} == Xbox 1.5 == {{FIXME}} == Xbox 1.6 == {{FIXME}} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm Documentation by PiXEL8] 6758a54a7b18453bb82b07078dcf51e31921c6e4 0 3707 6108 6043 2017-08-30T11:29:00Z JayFoxRox 2 Removed models from this article, moving to hardware revisions wikitext text/x-wiki The original Xbox hard disk drive was 8GB in size. Later releases, 1.3 and 1.4's had Seagate 10GB drives; however, only the first 8GB of the drive was used. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] c351edd6f2ddaa9f143861c201c403b1c1d99b83 6109 6108 2017-08-30T11:29:56Z JayFoxRox 2 wikitext text/x-wiki The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX |- | C | System | 0x8ca80000 | 0x1f400000 | FATX |- | E | Data | 0xabe80000 | 0x131f00000 | FATX |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] dfca548103173bccb7bc3502c6105d59ebd4d716 0 3704 6110 5682 2017-08-30T11:30:56Z JayFoxRox 2 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. For a list of drives Microsoft used in the Xbox, see [[Hardware Revisions]]. == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ 81486e60896018589f4b0bea74bb5b99d379257a 0 3669 6111 5899 2017-08-30T11:41:04Z JayFoxRox 2 wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0) * Philips (Xbox 1.2) * Samsung (Xbox 1.3) * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 5ee73efd9a3fc406e94e9e551c9b1ae6872522ec 6 3877 6113 2017-08-30T12:32:44Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3878 6114 2017-08-30T12:32:59Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3879 6115 2017-08-30T12:33:13Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3880 6116 2017-08-30T12:33:23Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3881 6117 2017-08-30T12:33:37Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3882 6118 2017-08-30T12:33:47Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3883 6119 2017-08-30T12:34:00Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3884 6120 2017-08-30T12:34:11Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3885 6121 2017-08-30T12:34:31Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3886 6122 2017-08-30T12:34:39Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3887 6123 2017-08-30T12:34:52Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 10 3843 6124 6052 2017-08-30T12:38:43Z JayFoxRox 2 wikitext text/x-wiki [[File:input-a.png|frameless|24px|Alt=A button]] a3e4d943375215501e57fd92b7b28c056f9704b9 10 3865 6125 6077 2017-08-30T12:39:10Z JayFoxRox 2 wikitext text/x-wiki [[File:input-black.png|frameless|20px|Alt=Black button]] 6a91c5e0a2a630d907cafe3bcabd09f8654787c7 10 3866 6126 6078 2017-08-30T12:39:25Z JayFoxRox 2 wikitext text/x-wiki [[File:input-white.png|frameless|20px|Alt=White button]] 86fc2955bfb5bd322b88b1b719e4030943f9a839 10 3844 6127 6053 2017-08-30T12:39:57Z JayFoxRox 2 wikitext text/x-wiki [[File:input-b.png|frameless|24px|Alt=B button]] 7228de34c88f36ce82f657cff647d3ef115e1adf 10 3839 6128 6047 2017-08-30T12:40:11Z JayFoxRox 2 wikitext text/x-wiki [[File:input-x.png|frameless|24px|Alt=X button]] 9c455c74ecc76dc2d9e77644675ad4a4d48822cd 10 3840 6129 6048 2017-08-30T12:40:23Z JayFoxRox 2 wikitext text/x-wiki [[File:input-y.png|frameless|24px|Alt=Y button]] deea2135df6298d81e8f72371b72f522996676b6 10 3867 6130 6076 2017-08-30T12:40:54Z JayFoxRox 2 wikitext text/x-wiki [[File:input-start.png|frameless|26px|Alt=START button]] 401f535ee9e837125269460a9f2ba783d09e3a07 10 3868 6131 6079 2017-08-30T12:41:07Z JayFoxRox 2 wikitext text/x-wiki [[File:input-back.png|frameless|26px|Alt=BACK button]] 949dc7f028e9a0d94b75a423339b4e6f3e2e1067 10 3869 6132 6081 2017-08-30T12:41:48Z JayFoxRox 2 wikitext text/x-wiki [[File:input-d.png|frameless|32px|Alt=Digital-Pad]] 883d296494473d3049acb3f15b76fce92c347956 10 3871 6133 6083 2017-08-30T12:42:18Z JayFoxRox 2 wikitext text/x-wiki [[File:input-l.png|frameless|32px|Alt=Left-Thumbstick]] 38162af37e455cac70c86667be87dfc55dd96d06 10 3870 6134 6082 2017-08-30T12:42:32Z JayFoxRox 2 wikitext text/x-wiki [[File:input-r.png|frameless|32px|Alt=Right-Thumbstick]] 3072e4591246b5049c7e9a6513c9c10c22f39f64 10 3852 6135 6061 2017-08-30T12:49:53Z JayFoxRox 2 wikitext text/x-wiki {{input-l}}-Horizontal 3af45654d0a65cd892a23050fb8e1fa6ec7ca187 10 3853 6136 6062 2017-08-30T12:50:07Z JayFoxRox 2 wikitext text/x-wiki {{input-l}}-Left 80f7ea8f547f9c2ed5876883a20f2555035f2ffe 10 3854 6137 6063 2017-08-30T12:50:15Z JayFoxRox 2 wikitext text/x-wiki {{input-l}}-Right d31f9f79a38e4eea3294942341de5de823c57877 10 3855 6138 6064 2017-08-30T12:50:26Z JayFoxRox 2 wikitext text/x-wiki {{input-l}}-Vertical 133d67f33be66ac2466ef88b84ed5c11045903fa 10 3857 6139 6066 2017-08-30T12:50:33Z JayFoxRox 2 wikitext text/x-wiki {{input-l}}-Down 6bff11489678f8612abb523026e74d82d3478d04 10 3856 6140 6065 2017-08-30T12:50:41Z JayFoxRox 2 wikitext text/x-wiki {{input-l}}-Up 50467e54bb8afb842147d67237c3c84fc14090e2 10 3859 6141 6068 2017-08-30T12:50:57Z JayFoxRox 2 wikitext text/x-wiki {{input-r}}-Horizontal 459f143786ea3e136c581344bc603d48ae47ecc2 10 3860 6142 6069 2017-08-30T12:51:05Z JayFoxRox 2 wikitext text/x-wiki {{input-r}}-Left 58f1ed99b7e8d8c4258b6e3116a0f9a1a333dcfa 10 3861 6143 6070 2017-08-30T12:51:13Z JayFoxRox 2 wikitext text/x-wiki {{input-r}}-Right 758180cf43a2f543202692374b196a9ce4e1afa3 10 3862 6144 6071 2017-08-30T12:51:22Z JayFoxRox 2 wikitext text/x-wiki {{input-r}}-Vertical 114d3a42560a62ad55b7d6ede6c854e0ad3e1f16 10 3863 6145 6072 2017-08-30T12:51:29Z JayFoxRox 2 wikitext text/x-wiki {{input-r}}-Down 1b19757f7b305abe4b726cf0e4bb9a66f77d08b0 10 3864 6146 6073 2017-08-30T12:51:36Z JayFoxRox 2 wikitext text/x-wiki {{input-r}}-Up abc244f86426174ed6487317a34bf4bc6eef3c07 10 3848 6147 6057 2017-08-30T12:51:49Z JayFoxRox 2 wikitext text/x-wiki {{input-d}}-Horizontal d90e0dc8cdfec5b18497f16375ea520d73f2640a 10 3850 6148 6059 2017-08-30T12:52:02Z JayFoxRox 2 wikitext text/x-wiki {{input-d}}-Right c6aff6ccd0fa947dc0d482b5a184f7166c90c642 10 3849 6149 6058 2017-08-30T12:52:09Z JayFoxRox 2 wikitext text/x-wiki {{input-d}}-Left d67105737167429ecc79a8d0eb3f5b9e3f8dd994 10 3847 6150 6056 2017-08-30T12:52:19Z JayFoxRox 2 wikitext text/x-wiki {{input-d}}-Vertical f57204e8ffd8576dda2cbf2c7290933787a1bfe3 10 3846 6151 6055 2017-08-30T12:52:28Z JayFoxRox 2 wikitext text/x-wiki {{input-d}}-Down 6561aae32b0fba898d3d4a66af2453867303e77d 10 3845 6152 6054 2017-08-30T12:52:36Z JayFoxRox 2 wikitext text/x-wiki {{input-d}}-Up 3dd82a7733661ee26c6b114e572c249a78060a5c 10 3851 6153 6060 2017-08-30T12:53:47Z JayFoxRox 2 wikitext text/x-wiki {{input-l}}-Press d38353d3771463c38d73645d40df8859fe2f7bd9 10 3858 6154 6067 2017-08-30T12:53:57Z JayFoxRox 2 wikitext text/x-wiki {{input-r}}-Press 57b67342b28ec3d3102977777b542ae1f8da2a1a 6 3888 6155 2017-08-30T13:35:00Z JayFoxRox 2 Font contained in Xbox.xtf wikitext text/x-wiki Font contained in Xbox.xtf 4efe444085c23f2896b8600bea6a8f86f6eb8474 6158 6155 2017-08-30T21:02:34Z JayFoxRox 2 JayFoxRox uploaded a new version of [[File:Xbox-xtf.png]] wikitext text/x-wiki Font contained in Xbox.xtf 4efe444085c23f2896b8600bea6a8f86f6eb8474 6 3889 6156 2017-08-30T13:35:30Z JayFoxRox 2 Font contained in XBox Book.xtf wikitext text/x-wiki Font contained in XBox Book.xtf 7a671028dd7239da064cb5dc4f056defbe0ba7b7 6159 6156 2017-08-30T21:02:58Z JayFoxRox 2 JayFoxRox uploaded a new version of [[File:XBox Book-xtf.png]] wikitext text/x-wiki Font contained in XBox Book.xtf 7a671028dd7239da064cb5dc4f056defbe0ba7b7 0 3831 6157 6103 2017-08-30T13:42:22Z JayFoxRox 2 Add example glyphs wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]]. They contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|frame|Xbox.xtf from [[Dashboard]].{{FIXME|reason=Broken kerning}}]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|frame|XBox Book.xtf from [[Dashboard]].{{FIXME|reason=Broken kerning}}]]</div> == File format == {{FIXME}} 33999db2bcb597c736071bfe2d0ced63b0d1768b 6160 6157 2017-08-30T21:03:23Z JayFoxRox 2 /* XBox Book.xtf */ wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]]. They contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|frame|Xbox.xtf from [[Dashboard]].{{FIXME|reason=Broken kerning}}]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|frame|XBox Book.xtf from [[Dashboard]].]]</div> == File format == {{FIXME}} f9b9cc552e072627cc845872742ce86968da196f 6161 6160 2017-08-30T21:03:33Z JayFoxRox 2 /* Xbox.xtf */ wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]]. They contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|frame|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|frame|XBox Book.xtf from [[Dashboard]].]]</div> == File format == {{FIXME}} c250cdfcef0d6e4b468357c32a6622feba0b684d 6162 6161 2017-08-30T21:07:38Z JayFoxRox 2 /* Xbox.xtf */ wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]]. They contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|frame|XBox Book.xtf from [[Dashboard]].]]</div> == File format == {{FIXME}} 81fe1dfd719656a8c4f14150588b987b1c8f5ecc 6163 6162 2017-08-30T21:08:00Z JayFoxRox 2 /* XBox Book.xtf */ wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] xtf is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]]. They contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == {{FIXME}} c06e9fcda45ce6e2173e322cc4b0da4ad8b37d1d 0 3818 6164 5930 2017-08-31T09:50:41Z Codeasm 2480 /* power cord recall */ t number: X800925-100 200-240V~,50/60HZ, 610mA wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 xboxes.{citation needed}. '''Does my console require a replacement cord?''' If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords. source: [https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7 Xbox powercord recall program faq] Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} An more in detail video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] ===== AFCI ===== An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumely this one doesnt come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] 13bc8bbd7019f193ef591e28df09dae982ab2d05 6165 6164 2017-08-31T09:51:46Z Codeasm 2480 /* Related links */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {citation needed} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {citation needed} (240V) * MODEL: FTPS-0007 REV:B {citation needed} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {citation needed} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 xboxes.{citation needed}. '''Does my console require a replacement cord?''' If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords. source: [https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7 Xbox powercord recall program faq] Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} An more in detail video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] ===== AFCI ===== An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumely this one doesnt come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] c14d9ecf89f167f3ad11e3f0928cbf9f8972b8aa 6175 6165 2017-08-31T16:21:53Z JayFoxRox 2 Fix {citation-needed} wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== power cord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 xboxes.{{citation needed}}. '''Does my console require a replacement cord?''' If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords. source: [https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7 Xbox powercord recall program faq] Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]. The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} An more in detail video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] ===== AFCI ===== An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumely this one doesnt come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] c84f67c9dc3f44d172ca01afc7e7fde557904421 6176 6175 2017-08-31T16:27:27Z JayFoxRox 2 /* power cord recall */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumely this one doesnt come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] b650bd4fa01274de3f0eb194d386b50c0c637259 0 3768 6166 6086 2017-08-31T12:20:59Z Codeasm 2480 My dongle gave an error, but the 002 one worked. did someone messed the table up? wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || CodeAsm got an error with this dongle |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || CodeAsm got this one |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] f750053c6f8147657af2678c23b4cb48645259d3 6167 6166 2017-08-31T12:38:54Z Codeasm 2480 My dongle gave an error, but the 002 one worked. did someone messed the table up? wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || CodeAsm got an error with this dongle, no rom. |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || CodeAsm got this one |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] acfa6c95535ae0e928b3f736e54474627c4cc776 6174 6167 2017-08-31T15:07:25Z Codeasm 2480 hmm, no names wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. == Remote Control == == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === {{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] d92f582ec93bc403f6124fbf4342f8a0dfe3fe13 0 11 6168 6085 2017-08-31T12:57:11Z Codeasm 2480 /* Light guns */ added Joytech sharp shooter, need to retest wich joystick it uses, asumed it was indeed the left stick. wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 {{citation needed}} |- | B button || {{input-b}} | both sides |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |- | Magazine button || {{input-b}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} codeasm has to verify the toggle modes, they where more anyonging than helpfull. ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] dff2721a1e4cc11279477d9307ca134f5df2acbf 6169 6168 2017-08-31T12:57:47Z Codeasm 2480 /* Joytech Sharp Shooter */ inlicensed wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 {{citation needed}} |- | B button || {{input-b}} | both sides |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |- | Magazine button || {{input-b}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} codeasm has to verify the toggle modes, they where more anyonging than helpfull. ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] dc86034a4d803d4de167be0f830d52eedfb96c85 6173 6169 2017-08-31T15:06:35Z Codeasm 2480 /* Fire/Reload Mode */ hmm, no names wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 {{citation needed}} |- | B button || {{input-b}} | both sides |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |- | Magazine button || {{input-b}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] e37fd47a8196eb65a3676aad0a38132ce7988484 6177 6173 2017-08-31T16:47:15Z JayFoxRox 2 /* Joytech Sharp Shooter */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="2" | {{input-b}} |- | B (Bottom) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |- | Magazine button || {{input-b}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 6ed8f1cfa4d752365e1e78f78a34ec154ff56130 6178 6177 2017-08-31T16:47:34Z JayFoxRox 2 /* Joytech Sharp Shooter */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="5" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="2" | {{input-b}} |- | B (Bottom) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |- | Magazine button || {{input-b}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 9847d541c55eb4a2e9242dc730435b7b53117aab 6179 6178 2017-08-31T16:48:37Z Codeasm 2480 /* Joytech Sharp Shooter */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="5" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="2" | {{input-b}} |- | B (Right side) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |- | Magazine button || {{input-b}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 9f5f3b01e736a4fac1c0ecca0ce8e0eb6adf21f2 6180 6179 2017-08-31T16:50:25Z JayFoxRox 2 /* Joytech Sharp Shooter */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | Magazine button |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 17c4ab63cb4327d290438c475f7b05f934ca898b 6181 6180 2017-08-31T16:51:20Z JayFoxRox 2 /* Joytech Sharp Shooter */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}}+ {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 6b6c2a66a2bfed09cafa314e13fb4f5338c42cd8 6182 6181 2017-08-31T16:51:52Z JayFoxRox 2 /* Fire/Reload Mode */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 91e1904e4aec8ae65751c0590422ad1a715d3bfb 0 3772 6170 5678 2017-08-31T13:22:11Z KaosEngineer 2482 /* Hidden features */ Updated Parental Pass Code to use templated buttons. FormatAdminCodes found trying to locate old xbox-linux.org/down/usb_src.zip file w/WBM (never found it) but did these secret key combos to format/clear HDD except for C drive. wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different Xboxes Use Different Codes ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your Xbox's UDD that was acting up. What part(s) of the serial number they used to determine the correct code is unknown? More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) Xbox v1.0: {{input-x}} {{input-y}} {{input-ly+}} {{input-lx-}} {{input-a}} Unknown version: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}}. (This one seems to work with most XBOXes sold in the United States) Unknown version: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} (This one worked with the XBOXes manufactured in Hungary, serial numbers ending in 03) Source: Wayback Machine [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] == See Also == [[Hard Drive Files]] 95335bba33f6ba178c24dbcbf4afe93938805716 6171 6170 2017-08-31T13:25:10Z KaosEngineer 2482 /* Different Xboxes Use Different Codes */ mixed 1.0 combo first two buttons backwards wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different Xboxes Use Different Codes ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your Xbox's UDD that was acting up. What part(s) of the serial number they used to determine the correct code is unknown? More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} Unknown version: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}}. (This one seems to work with most XBOXes sold in the United States) Unknown version: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} (This one worked with the XBOXes manufactured in Hungary, serial numbers ending in 03) Source: Wayback Machine [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] == See Also == [[Hard Drive Files]] 71e2264e926f8f3bb6bd7e28ca6431368eef8ec1 6172 6171 2017-08-31T13:30:04Z KaosEngineer 2482 /* Different Xboxes Use Different Codes */ Typo UDD instead of HDD and reworded end of that sentence too wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different Xboxes Use Different Codes ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD. What part(s) of the serial number they used to determine the correct code is unknown? More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} Unknown version: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}}. (This one seems to work with most XBOXes sold in the United States) Unknown version: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} (This one worked with the XBOXes manufactured in Hungary, serial numbers ending in 03) Source: Wayback Machine [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] == See Also == [[Hard Drive Files]] dd6fdc35b83ace6ed7665b30887fd036fcd76f54 6183 6172 2017-09-02T08:31:58Z KaosEngineer 2482 /* Different Xboxes Use Different Codes */ Made a sub heading for the list of Format Admin Codes wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different Xboxes Use Different Codes ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD. What part(s) of the serial number they used to determine the correct code is unknown? More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? ===== List of Xbox Format Admin Codes ===== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} Unknown version: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}}. (This one seems to work with most XBOXes sold in the United States) Unknown version: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} (This one worked with the XBOXes manufactured in Hungary, serial numbers ending in 03) Source: Wayback Machine [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] == See Also == [[Hard Drive Files]] 2675fd35c5c39275f77a5a2f7f9aef2df0df72aa 6184 6183 2017-09-02T08:33:19Z KaosEngineer 2482 /* Format Admin Codes */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different Xboxes Use Different Codes ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD. What part(s) of the serial number they used to determine the correct code is unknown? More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} Unknown version: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}}. (This one seems to work with most XBOXes sold in the United States) Unknown version: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} (This one worked with the XBOXes manufactured in Hungary, serial numbers ending in 03) Source: Wayback Machine [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] == See Also == [[Hard Drive Files]] d99912df49418596af84f65a219c08c147165147 6185 6184 2017-09-02T09:08:57Z JayFoxRox 2 /* List of Xbox Format Admin Codes */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different Xboxes Use Different Codes ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD. What part(s) of the serial number they used to determine the correct code is unknown? More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] == See Also == [[Hard Drive Files]] c50a5152e7a2e7b338026650580b35d44b3217df 6186 6185 2017-09-02T09:10:10Z JayFoxRox 2 /* Different Xboxes Use Different Codes */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] == See Also == [[Hard Drive Files]] 97b52957245ab57c804a165f8739ca36b5098788 1 3890 6187 2017-09-02T09:16:34Z JayFoxRox 2 /* Format code: different codes / serial number relation */ new section wikitext text/x-wiki == Format code: different codes / serial number relation == * More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? Xbox versions usually refer to ''hardware'' revisions. However, formating is a ''software'' process. By the serial number, MS can figure out when the Xbox was produced and also what kind of dashboard shipped with it. I'd assume that the code is only depending on the dashboard version. I don't think the kernel version will have any influence as all input handling and disk formatting stuff is done in the XAPI / Dashboard; not the kernel. Therefore we can probably also easily test and confirm this in cxbx-r or xqemu by running various dashboards.{{FIXME|reason=do it!}} If we don't have it yet, we should try to make a backup of stock Xbox hdds, before installing a softmod. Try to archive the various dashboard versions. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 02:16, 2 September 2017 (PDT) ba9d7ce464c41f2e1b54426983609cd64d210266 6188 6187 2017-09-02T10:02:03Z JayFoxRox 2 /* Format code: different codes / serial number relation */ wikitext text/x-wiki == Format code: different codes / serial number relation == * More data is needed to sort out which Xbox a particular code works on, and what other codes exist. Is it based on Xbox scene version numbers? Most likely, NOT! Is it based on factory of production? Is it based on BIOS version? Does anyone know? This seems to be handled by settings3.xap: <code>thePanelJoystick.secretKey = "Y" + theConfig.GetRecoveryKey();</code> The <code>GetRecoveryKey</code> function seems to look up symbols from "AXYUDLR" based on some variation of the Xbox HD Key + another random 16 byte key (hardcoded into the kernel). Combined using <code>XcHMAC(hardcodedkeyimentioned, 16, XboxHDKey, 16, NULL, 0, buffer)</code>. Then the key is generated using: <pre> uint16_t* buffer_words = buffer; for(unsigned int i = 0; i < 4; i++) { code[i] = "AXYUDLR"[buffer_words[i] % 7]; } </pre> This function is similar to the one being used to generate Xbox Live account crypto keys. We should probably write a tool to locate these functions and extract the keys. All of these are contained in the dashboard app. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 02:16, 2 September 2017 (PDT) 7325ac920b7f4841b5144a885ef3dd15622c449d 0 3891 6189 2017-09-02T10:05:39Z JayFoxRox 2 Created page with "This key is (amongst other things) used to generate the Xbox recovery key used by the Dashboard. Users could ask MS support for their receovery key. So either Microsoft kept a..." wikitext text/x-wiki This key is (amongst other things) used to generate the Xbox recovery key used by the Dashboard. Users could ask MS support for their receovery key. So either Microsoft kept a database of all keys / serial numbers; or the serial number and this key are related. 61e7df9dc95473dd919af0c28f51114cb938629e 6195 6189 2017-09-02T12:28:11Z JayFoxRox 2 wikitext text/x-wiki This key is (amongst other things) used to retreive the Xbox recovery key used by the Dashboard. Users could ask MS support for their receovery key. So either Microsoft kept a database of all keys / serial numbers; or the serial number and this key are related. 902c0b7ae26c681dd599a8769f004f0d156fe615 0 3742 6190 6112 2017-09-02T10:23:40Z JayFoxRox 2 /* Chip Models */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The Serial Number== <pre> 1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> {| class="wikitable" ! style="text-align: center;" | 1 ! style="text-align: center;" | 1 ! style="text-align: center;" | 6 ! style="text-align: center;" | 6 ! style="text-align: center;" | 3 ! style="text-align: center;" | 5 ! style="text-align: center;" | 6 ! style="text-align: center;" | ! style="text-align: center;" | 2 ! style="text-align: center;" | 0 ! style="text-align: center;" | 9 ! style="text-align: center;" | 0 ! style="text-align: center;" | 3 ! style="text-align: center;" | ! |- | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | / | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | week of year (starting Mondays) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | last digit of year (200Y) |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | \ | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | number of Xbox within week and factory |- | style="text-align: center;" | | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | style="text-align: center;" | | |- | style="text-align: center;" | \ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | style="text-align: center;" | _ | production line within factory |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 1505c624c2283840320738ec54fe66671ad7b644 6194 6190 2017-09-02T10:27:11Z JayFoxRox 2 /* The Serial Number */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup> |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup> |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. <sup>*</sup>Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 740df82650c911be4fa2bb4440e7308b0e342d76 0 3669 6191 6111 2017-09-02T10:24:25Z JayFoxRox 2 /* Identifying */ wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0) * Philips (Xbox 1.2) * Samsung (Xbox 1.3) * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} == EEPROM == {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] b37d59cb2f75271e303056a6bd7e22593dc7c133 6192 6191 2017-09-02T10:24:37Z JayFoxRox 2 /* EEPROM */ wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0) * Philips (Xbox 1.2) * Samsung (Xbox 1.3) * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 45954cf1d9cd5d1edcc4f1634451697f67a37896 6193 6192 2017-09-02T10:24:45Z JayFoxRox 2 /* EEPROM */ wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0) * Philips (Xbox 1.2) * Samsung (Xbox 1.3) * Hitachi-LG (mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 8de7cca6c065b169d04fdc2e61b85d7b1e6a3253 0 3790 6196 5728 2017-09-02T12:40:47Z JayFoxRox 2 wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- |} == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] 5632d1265f6abf8c92cb7db1741bb0fbc92391b2 0 3751 6197 5982 2017-09-05T03:27:21Z DaveX 2487 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is likely to be lost. However, this was not tested in praxis. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2017-09-05 |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] c34821b6b1d2d916f24620a3ec87e87c570a4267 0 3772 6198 6186 2017-09-05T17:33:56Z KaosEngineer 2482 Added Shaky Menu from gamefaqs.com - really a slowly moving menu I wouldn't really call it a SHAKY menu. wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] ==== Traveling Main Menu ==== Turn on your Xbox and go to the dashboard, Press {{input-y}} {{ input-x}} at the main screen, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] 29ebec5e7bbdabf91adfca614c4bd68055dab35f 6199 6198 2017-09-05T17:34:55Z KaosEngineer 2482 /* Hidden features */ New Traveling Main menu wrong depth (one too many ='s in header) wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Main Menu === Turn on your Xbox and go to the dashboard, Press {{input-y}} {{ input-x}} at the main screen, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] 532c744a52330ebbfcc8f420217540d867ee1bb7 6200 6199 2017-09-05T17:41:13Z KaosEngineer 2482 /* Traveling Main Menu */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, Press {{input-y}} {{ input-x}} at the main screen, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] a3dc1902a7fd52e9954ae315e25513d57bc86eed 6201 6200 2017-09-05T17:43:46Z KaosEngineer 2482 /* Traveling Menus */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, Press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] cd95c155ba3a07d783037ee44e9c46678154b468 6202 6201 2017-09-05T18:25:54Z KaosEngineer 2482 /* Traveling Menus */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press "Y" then "X" while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press Info button on the DVD Playback Kit remote. But, wait there's more (only visible with DVD Playback Kit and Remote). Fullscreen Visualization Part 2: #Start playing a song using either the Xbox controller or playback kit remote. #Press "Y" then "X" on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] d68d23ec4ab7216c3fbc8f05fd5b0f0fc9f001e9 6203 6202 2017-09-05T19:15:06Z JayFoxRox 2 /* Music visualization in fullscreen */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press {{input-y}}, {{input-x}} while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press "INFO" button on the DVD Playback Kit remote. Only visible with DVD Playback Kit and Remote: #Start playing a song using either the Xbox controller or playback kit remote. #Press {{input-y}}, {{input-x}} on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield{{FIXME|reason=replace lengthy explanation with a video of this}}. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg: ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] 27ceac14c7f66c7cc721ea88e0a5cab5aa2f4d5a 1 3744 6204 5446 2017-09-05T19:24:14Z JayFoxRox 2 input-* template usage wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) 746cdd5c2185eb8ce280cb3a603eb5854408653d 0 3751 6205 6197 2017-09-06T18:27:31Z JayFoxRox 2 Add list of movie DVDs wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is likely to be lost. However, this was not tested in praxis. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2017-09-05 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] f2a04cc07865991151f9c1ec48c10918a39027e0 0 3790 6206 6196 2017-09-07T14:41:48Z DaveX 2487 wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- |BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB || |} == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] fc02f4f09782e13441b880543a3561cfdeeff4f6 6210 6206 2017-09-11T05:26:16Z KaosEngineer 2482 /* Compatible USB sticks */ Added the USB Flash Drive I use to softmod. 64MB generic flash drive wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- |BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB || |- |USB Mass Storage Device || 0x058F || 0x9381 || 64MB || Generic Mass Storage Device |} == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] 10b877a5e4e3befaf0c9e407abbcc18366b56a67 6211 6210 2017-09-11T23:02:25Z DaveX 2487 wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. (It is rumored that the capacity should not exceed 4GB) However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- |BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB || |- |USB Mass Storage Device || 0x058F || 0x9381 || 64MB || Generic Mass Storage Device |} == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] 2ea2c10ea2849a176bf6fa55d34e724a6c79fc81 0 3831 6207 6163 2017-09-10T07:43:38Z JayFoxRox 2 File format info and link to a parser / converter tool wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]]. They contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] 99241c85133caa41ae04b3b69dc506484ebac8f4 6212 6207 2017-09-12T15:33:22Z CobaltHex 2492 added more background info wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] of [[Wikipedia:Ascender Corporation|Ascdender Corporation]] for use on the Xbox. Matteson had already created many of Microsoft's [[Wikipedia:Microsoft Windows|Windows]] core fonts and would later create the [https://www.fonts.com/font/microsoft/convection:Link Convection fonts used on the Xbox 360]. Each font contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) Individual character meshes are stored as triangle strips {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] 3a969ca64b23524d1858cc797dddf0f63cdb0521 6213 6212 2017-09-12T15:35:08Z CobaltHex 2492 wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] of [[Wikipedia:Ascender Corporation|Ascdender Corporation]] for use on the Xbox. Matteson had already created many of Microsoft's [[Wikipedia:Microsoft Windows|Windows]] core fonts and would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360]. Each font contain 7365 glyphs each. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) Individual character meshes are stored as triangle strips {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] 5f99da77d68b0bcc835409eff5d4c68afde5d876 6214 6213 2017-09-12T15:35:23Z CobaltHex 2492 wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] of [[Wikipedia:Ascender Corporation|Ascdender Corporation]] for use on the Xbox. Matteson had already created many of Microsoft's [[Wikipedia:Microsoft Windows|Windows]] core fonts and would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360]. Each font contain 7365 glyphs. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) Individual character meshes are stored as triangle strips {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] 5f1c24a0e6a382d059c876320dae6d52974bb7ac 6215 6214 2017-09-12T15:35:59Z CobaltHex 2492 wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] of [[Wikipedia:Ascender Corporation|Ascdender Corporation]] for use on the Xbox. Matteson had already created many of Microsoft's [[Wikipedia:Microsoft Windows|Windows]] core fonts and would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360]. Each font contain 7365 glyphs. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range (stored as a triangle strip) *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] a93363cb787931ae0d64f666b3c9be59cdb500d5 6216 6215 2017-09-12T15:52:44Z CobaltHex 2492 wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. Both fonts were also used for branding and promotional use. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] of [[Wikipedia:Ascender Corporation|Ascdender Corporation]] for use on the Xbox. Matteson had already created many of Microsoft's [[Wikipedia:Microsoft Windows|Windows]] core fonts and would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360]. Each font contain 7365 glyphs. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range (stored as a triangle strip) *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] c23c992ceb4e2280ef9171eaa506baabd6aa7499 6218 6216 2017-09-12T18:35:37Z DaveX 2487 /* Dashboard fonts */ wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. Both fonts were also used for branding and promotional use. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] of [[Wikipedia:Ascender Corporation|Ascdender Corporation]] for use on the Xbox. Matteson had already created many of Microsoft's [[Wikipedia:Microsoft Windows|Windows]] core fonts and would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360]. Each font contains 7365 glyphs. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range (stored as a triangle strip) *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] c5bc35536a29cae583927e2b137b56838e08e76f 6219 6218 2017-09-12T19:20:35Z CobaltHex 2492 wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] for use on the Xbox as well as for promotional materials. Matteson would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360]. Each font contains 7365 glyphs. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range (stored as a triangle strip) *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] 28ba7396e5c4f838803627c02810eeefef344d13 6220 6219 2017-09-12T19:21:08Z CobaltHex 2492 wikitext text/x-wiki [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] for use on the Xbox Dashboard as well as for promotional materials. Matteson would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360]. Each font contains 7365 glyphs. === Xbox.xtf === A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range (stored as a triangle strip) *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] ffdd010285bc60340d84cd89582a928e0c345c8c 6221 6220 2017-09-12T20:10:38Z JayFoxRox 2 Ascender did not even exist at the time;; We already link to wikipedia which contains these non-technical, non-xbox details;; XTF is triangle lists, not strips wikitext text/x-wiki XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] for use in the Xbox [[Dashboard]] as well as for promotional materials. The XTF versions of these fonts contain 7365 glyphs each. === Xbox.xtf === [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range (stored as a triangle list) *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] aafd04baadd765700d871ad7c56f116e4f11aa8d 6222 6221 2017-09-12T20:13:46Z JayFoxRox 2 wikitext text/x-wiki XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] for use in the Xbox [[Dashboard]] as well as for promotional materials. The XTF versions of these fonts contain 7365 glyphs each. === Xbox.xtf === [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) The mesh data is stored as triangle list. 3 indices per triangle. {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] 40e3d35d27c0a7029c1d1f059e36397a67215449 0 3700 6208 5841 2017-09-11T04:56:46Z KaosEngineer 2482 /* Visible information on ring */ typo middel changed to middle wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unkown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 22db8cbb1e76a848f26f46f47bc94c9a5996d88c 6209 6208 2017-09-11T05:01:55Z KaosEngineer 2482 /* Dumping */ typo unkown fixed unknown wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} |- |Samsung SH-D163A |SATA | |SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353A |SATA | |{{citation needed}} |- |Toshiba TS-H353B |SATA | |{{citation needed}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 95a3eeb048abd8e408bfb161be8f425a7346b6a0 6223 6209 2017-09-16T07:59:45Z JayFoxRox 2 More logical order + name TS-H353A kreon fw explicitly wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162C?}} |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162D?}} |- |Samsung SH-D163A |SATA | |Kreon 0.80 (October 17th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |Kreon 0.80 (October 17th 2006) {{FIXME|reason=Same as SH-D163A?}} |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |{{citation needed}} {{FIXME|reason=Same as SH-D163B?}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] dcabcc1bb68936e64a536439b8d351dabb71efe4 6233 6223 2017-09-20T22:27:03Z CakeLancelot 2494 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162C?}} |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162D?}} |- |Samsung SH-D163A |SATA | |Kreon 0.80 (October 17th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |Kreon 1.00 (November 18th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |{{citation needed}} {{FIXME|reason=Same as SH-D163B?}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] bd501f2c99ef72e9f712d687c00ee0cab7e153b9 6234 6233 2017-09-20T22:33:27Z CakeLancelot 2494 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162C?}} |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162D?}} |- |Samsung SH-D163A |SATA | |Kreon 0.80 (October 17th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |Kreon 0.80 (October 17th 2006) <br> Kreon 1.00 (November 18th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |{{citation needed}} {{FIXME|reason=Same as SH-D163B?}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 99fca5864418bc4a7f2ce46087673849cef189cd 6235 6234 2017-09-20T22:36:50Z CakeLancelot 2494 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162C?}} |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162D?}} |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |Kreon 0.80 (October 17th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |Kreon 0.80 (October 17th 2006) <br> Kreon 1.00 (November 18th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |{{citation needed}} {{FIXME|reason=Same as SH-D163B?}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 270c3cabb6cd84fe0c381c0b50a9bfc0010ed1e1 6236 6235 2017-09-21T03:19:55Z CakeLancelot 2494 /* Dumping */ Finalize H353A Kreon FW and D163A Original FW. Previous edits are related to this, sorry for not putting a summary. wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{citation needed}} | | |0800 |- |Toshiba SD-M2012C |IDE | |Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |SB00 Kreon 0.60 (July 30th 2006) <br> SB00 Kreon 0.80 (September 9th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162C?}} |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |Kreon{{citation needed}} {{FIXME|reason=Same as SH-D162D?}} |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |Kreon 0.80 (October 17th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |Kreon 0.80 (October 17th 2006) <br> SB01 Kreon 1.00 (October 9th 2007) |- |Samsung SH-D163B |SATA | |Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |{{citation needed}} {{FIXME|reason=Same as SH-D163B?}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] e0128f509f7cc61decdc93b0c3bcd8374f88b417 6237 6236 2017-09-21T16:35:48Z JayFoxRox 2 Grouped drives; this is an assumption. Please undo or fix if those firmwares are not compatible. wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA | |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 0de907197a64356da3dd29173ca7bdb46e4d31d8 1 3832 6217 5992 2017-09-12T18:34:37Z CobaltHex 2492 wikitext text/x-wiki == Change to article about promo fonts == Both of these fonts were used as part of the Xbox's marketing materials. More info there than the XTF format. Perhaps move the XTF to a generic file format article (below) == Merge with dashboard article == I think it makes sense to merge this with the dashboard article or even move such file format stuff to other wikis. However, I'm not sure how to integrate it best with the dashboard article, and I'm not aware of any wikis where this would fit. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:45, 22 August 2017 (PDT) == Add file format info == from #xqemu irc channel * JayFoxRox: I looked at the file, it seems to be a 2D mesh format, indices, followed by vertices * JayFoxRox: header is XTF0, then, then 4 bytes length for the following name of font [should be 32 bytes] * JayFoxRox: seemingly this is used too: https://msdn.microsoft.com/en-us/library/dd144956(v=vs.85).aspx * JayFoxRox: or at least there is a 4 byte length prefix again * JayFoxRox: near end of file it's very surely <code>u16 icount, u16 vcount, u16 indices[icount] { float x,y; }[vcount]</code> * JayFoxRox: if there are any structures between those 2? no idea. * JayFoxRox: apparently the last structure [with mesh data] keeps repeating towards the end, so it's probably each glyph seperately * JayFoxRox: I don't have more time for doing this now - I already did more than I wanted by sourcing the Xbox.xtf and Xbox Book.xtf and looking at it with hexedit and googling for MS structures :P * JayFoxRox: I think there are degenerates, so looks like tri-strip << edit: actually those are just tris! Update: source code for partially converting to svg font: https://gist.github.com/JayFoxRox/3749698d1ae590608433672bffecba5a --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:49, 22 August 2017 (PDT) a8f633c8f4139e8c3f47f8b251e62c1016782717 0 4 6224 5308 2017-09-16T08:06:16Z JayFoxRox 2 Link was broken wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Far Cry Instincts]] |- | [[Far Cry Instincts: Evolution]] |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |[[New Legends]] |UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |- |[[Advent Rising]] |UE2 Build 2226 |- |[[America's Army: Rise of a Soldier]] |UT2003 Build 928 |- |[[Brothers in Arms: Earned in Blood]] |UE2 Build 2226 |- |[[Brothers in Arms: Road to Hill 30]] |UE2 Build 2226 |- |[[Combat: Task Force 121]] |UE2 Build 2110 |- |[[Dead Man's Hand]] |UE2 Build 2110 |- |[[Deus Ex: Invisible War]] |Warfare Build 777 |- |[[Land of the Dead: Road to Fiddler's Green]] |UE2 BUild 2226 |- |[[Magic the Gathering: Battlegrounds]] |Warfare Build 926 |- |[[Men of Valor]] |Warfare Build 926 |- |[[Open Season]] |Warfare Build 927 |- |[[Pariah]] |UT2003 Build 928 with some UE2.5 code |- |[[Shadow Ops: Red Mercury]] |UE2 Build 2110 |- |[[Star Wars: Republic Commando]] |UE2 Build 2226 |- |[[Thief: Deadly Shadows]] |Warfare Build 777 |- |[[Tom Clancy's Ghost Recon: Advanced Warfighter]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3: Black Arrow]] |Warfare Build 927 |- |[[Tom Clancy's Splinter Cell]] |Warfare Build 829 |- |[[Tom Clancy's Splinter Cell: Chaos Theory]] |Warfare Build 829 - Singleplayer & Co-op mode UE2 Build 2110 - Versus mode |- |[[Tom Clancy's Splinter Cell: Double Agent]] |Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- |[[Tom Clancy's Splinter Cell: Pandora Tomorrow]] |Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- |[[Unreal II: The Awakening]] |Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- |[[Unreal Championship]] |UT2003 Build 928 |- |[[Unreal Championship 2: The Liandri Conflict]] |UE2 build 2227 with some UE2.5 code<br>(UE2X) |- |[[Warpath]] |UT2003 Build 928 with some UE2.5 code |- |[[World War II Combat: Road to Berlin]] |UE2 Build 2110 |- |[[World War II Combat: Iwo Jima]] |UE2 Build 2110 |- |[[XIII]] |Warfare Build 829 |} *Contains information from <sup>[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]</sup>, <sup>[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]</sup>, <sup>[https://en.wikipedia.org/wiki/Id_Tech_3 here]</sup>, and <sup>[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]</sup>. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License eb8cd4aa6d59021446e3cc23e69e27f1fd5e9da2 6225 6224 2017-09-16T08:17:01Z JayFoxRox 2 wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = id Tech 4 = id Tech 4 was scaled down for Xbox{{citation needed}}. {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Doom 3]] |- | [[Doom 3: Resurrection of Evil]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Far Cry Instincts]] |- | [[Far Cry Instincts: Evolution]] |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |[[New Legends]] |UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |- |[[Advent Rising]] |UE2 Build 2226 |- |[[America's Army: Rise of a Soldier]] |UT2003 Build 928 |- |[[Brothers in Arms: Earned in Blood]] |UE2 Build 2226 |- |[[Brothers in Arms: Road to Hill 30]] |UE2 Build 2226 |- |[[Combat: Task Force 121]] |UE2 Build 2110 |- |[[Dead Man's Hand]] |UE2 Build 2110 |- |[[Deus Ex: Invisible War]] |Warfare Build 777 |- |[[Land of the Dead: Road to Fiddler's Green]] |UE2 BUild 2226 |- |[[Magic the Gathering: Battlegrounds]] |Warfare Build 926 |- |[[Men of Valor]] |Warfare Build 926 |- |[[Open Season]] |Warfare Build 927 |- |[[Pariah]] |UT2003 Build 928 with some UE2.5 code |- |[[Shadow Ops: Red Mercury]] |UE2 Build 2110 |- |[[Star Wars: Republic Commando]] |UE2 Build 2226 |- |[[Thief: Deadly Shadows]] |Warfare Build 777 |- |[[Tom Clancy's Ghost Recon: Advanced Warfighter]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3: Black Arrow]] |Warfare Build 927 |- |[[Tom Clancy's Splinter Cell]] |Warfare Build 829 |- |[[Tom Clancy's Splinter Cell: Chaos Theory]] |Warfare Build 829 - Singleplayer & Co-op mode UE2 Build 2110 - Versus mode |- |[[Tom Clancy's Splinter Cell: Double Agent]] |Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- |[[Tom Clancy's Splinter Cell: Pandora Tomorrow]] |Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- |[[Unreal II: The Awakening]] |Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- |[[Unreal Championship]] |UT2003 Build 928 |- |[[Unreal Championship 2: The Liandri Conflict]] |UE2 build 2227 with some UE2.5 code<br>(UE2X) |- |[[Warpath]] |UT2003 Build 928 with some UE2.5 code |- |[[World War II Combat: Road to Berlin]] |UE2 Build 2110 |- |[[World War II Combat: Iwo Jima]] |UE2 Build 2110 |- |[[XIII]] |Warfare Build 829 |} *Contains information from <sup>[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]</sup>, <sup>[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]</sup>, <sup>[https://en.wikipedia.org/wiki/Id_Tech_3 here]</sup>, and <sup>[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]</sup>. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License 0ff995f05f564a750a1a0f8367c12809f04804bf 0 3892 6226 2017-09-16T08:19:51Z JayFoxRox 2 Created page with "{{Game}} A sequel to [[Doom 3]]. It was an expansion pack on PC and shares a lot of the technical foundation with [[Doom 3]]." wikitext text/x-wiki {{Game}} A sequel to [[Doom 3]]. It was an expansion pack on PC and shares a lot of the technical foundation with [[Doom 3]]. 4f9131cb1aa98dab38743bb153bc2aa8de3aa03d 0 3893 6227 2017-09-16T08:20:41Z JayFoxRox 2 Created page with "{{Game}} A slightly modified version{{citation needed}} of the PC versions source code is available at https://github.com/TTimo/doom3.gpl" wikitext text/x-wiki {{Game}} A slightly modified version{{citation needed}} of the PC versions source code is available at https://github.com/TTimo/doom3.gpl 347877e37c3836687592c63fc4423dca5750145e 0 3894 6228 2017-09-16T08:30:13Z JayFoxRox 2 Created page with "{{Game}} The source code to the PC version is available at https://github.com/id-Software/RTCW-SP and https://github.com/id-Software/RTCW-MP ." wikitext text/x-wiki {{Game}} The source code to the PC version is available at https://github.com/id-Software/RTCW-SP and https://github.com/id-Software/RTCW-MP . 9e7c9ad527a33da104323e2fc57699325b516b62 1 3895 6229 2017-09-16T11:09:46Z JayFoxRox 2 /* Drive with modded firmwares */ new section wikitext text/x-wiki == Drive with modded firmwares == There seems to be some overlap / similarities in the following devices: https://fccid.io/TSS-TS-H353 = TS-H353, TS-H353A, SH-D163, SH-D163A, SD-M2013, SH-D163B (all IDE) https://fccid.io/E-H023-00-4752 = SD-616, TS-H352, TS-H352A, SD-M1912, SH-D162, SH-D162C, SD-M2012, TS-H943 (all SATA) Noteworthy that TS-H943 is the 360 Drive! It has (i)Xtreme and 0800 available. Most other drives have been confirmed to work with Kreons firmware. We should figure out which of those drives are supported by the same firmware even. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 04:09, 16 September 2017 (PDT) b0497ba40806125b8bcda36f13748b6ccf1a935d 6230 6229 2017-09-16T11:09:54Z JayFoxRox 2 /* Drive with modded firmwares */ wikitext text/x-wiki == Drive with modded firmwares == There seems to be some overlap / similarities in the following devices: * https://fccid.io/TSS-TS-H353 = TS-H353, TS-H353A, SH-D163, SH-D163A, SD-M2013, SH-D163B (all IDE) * https://fccid.io/E-H023-00-4752 = SD-616, TS-H352, TS-H352A, SD-M1912, SH-D162, SH-D162C, SD-M2012, TS-H943 (all SATA) Noteworthy that TS-H943 is the 360 Drive! It has (i)Xtreme and 0800 available. Most other drives have been confirmed to work with Kreons firmware. We should figure out which of those drives are supported by the same firmware even. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 04:09, 16 September 2017 (PDT) 52f7af787de6a0b5441a1be599d19051ae02cec9 6231 6230 2017-09-16T16:43:25Z JayFoxRox 2 remove wrong info about SATA/IDE wikitext text/x-wiki == Drive with modded firmwares == There seems to be some overlap / similarities in the following devices: * https://fccid.io/TSS-TS-H353 = TS-H353, TS-H353A, SH-D163, SH-D163A, SD-M2013, SH-D163B * https://fccid.io/E-H023-00-4752 = SD-616, TS-H352, TS-H352A, SD-M1912, SH-D162, SH-D162C, SD-M2012, TS-H943 Noteworthy that TS-H943 is the 360 Drive! It has (i)Xtreme and 0800 available. Most other drives have been confirmed to work with Kreons firmware. We should figure out which of those drives are supported by the same firmware even. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 04:09, 16 September 2017 (PDT) 9aac6401adf2a8925be85279ff45b7087f6ee9c1 0 3 6232 5630 2017-09-19T11:49:17Z Codeasm 2480 added 2 interviews about the xboxs history wikitext text/x-wiki == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] d0654af08d7530d47ef6afae8ebb5ac14156eca2 1 3896 6238 2017-09-22T17:34:19Z Zaykho 2495 /* Reverse engineering notes for file formats */ new section wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the actual content stored in the archive is sliced in sections, creating a folder for each of them. Here an example for objects: '''.PAK for objects''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) 73af8081aecf31c4923b0f74c8041a1f52e971ef 6239 6238 2017-09-22T18:02:05Z Zaykho 2495 /* Reverse engineering notes for file formats */ wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for objects : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) '''WMSH''' or sometime '''MESH''' ---- The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. '''MAT''' ---- The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. '''GPUD''' ---- The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mimaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. '''TEXT''' ---- The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. 02726fec379542558b33eb8e6026914a71152d77 6240 6239 2017-09-22T18:06:05Z Zaykho 2495 /* Reverse engineering notes for file formats */ wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for objects : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) '''WMSH''' or sometime '''MESH''' ---- The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. '''MAT''' ---- The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. '''GPUD''' ---- The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mimaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. '''TEXT''' ---- The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. '''VB''' ---- The ''00000004.dat'' file contain the '''start address offset''' of the vertices and UV section in '''GPUD'''. If the 3D mesh have multiples groups/sections, the VB file will store each address. 211cf930519911bb2de89415e3fd3d36f43b7da9 6241 6240 2017-09-22T18:08:18Z Zaykho 2495 /* Reverse engineering notes for file formats */ wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for object : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) '''WMSH''' or sometime '''MESH''' ---- The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. '''MAT''' ---- The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. '''GPUD''' ---- The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mipmaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. '''TEXT''' ---- The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. '''VB''' ---- The ''00000004.dat'' file contain the '''start address offset''' of the vertices and UV section in '''GPUD'''. If the 3D mesh have multiples groups/sections, the VB file will store each address. 08dc8b3baa02bfd73950271363fd07376ff4fd4a 6242 6241 2017-09-22T18:08:56Z Zaykho 2495 /* Reverse engineering notes for file formats */ wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for object : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) '''WMSH''' or sometime '''MESH''' ---- The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. '''MAT''' ---- The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. '''GPUD''' ---- The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mipmaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. '''TEXT''' ---- The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. '''VB''' ---- The ''00000004.dat'' file contain the '''start address offset''' of the vertices and UV section in the '''GPUD'''. If the 3D mesh have multiples groups/sections, the VB file will store each address. a78c4bc6b39ac44c41db5cdb783cb07d96e5b99a 6243 6242 2017-09-23T08:03:30Z JayFoxRox 2 Added more chunk types and some basic info wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream (This uses a non-standard PAK format) To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for object : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) ---- === PAK File format === The PAK format is a chunked format. Each chunk starts with: * u32 chunk-type (can be interpreted as 4 byte ASCII magic) * u32 unknown * u32 size of chunk (excluding this field?) The chunk can contain compressed or uncompressed data. Compression is probably indicated by the upper bits of the size (0xC0000000) being set. Compression seems to be with a zlib header (<code>0x78, 0xDA</code>). Data can be inline, directly following the header. However, in INDX chunks, the data is pointed to by an extra u32 field after each header. ==== INDX ==== * u32: number of chunks * array of chunk headers, each with additional u32 field pointing to the data * array of chunk data ==== WMSH ==== The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. ==== MESH ==== Same as WMSH? ==== MAT ==== Material properties The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. ==== SKY ==== ==== WRAP ==== ==== INST ==== Header has some field set to != 0. Seems to contain subchunks which end with "END" chunk? ==== TIME ==== ==== RCAM ==== ==== ANIC ==== ==== ROUT ==== ==== RPRM ==== ==== RTMP ==== ==== GPUD ==== ==== GPUS ==== ==== TEX ==== ==== LGHT ==== ==== ACT ==== ==== INFO ==== ==== DRVP ==== ==== AUDI ==== ==== TVC ==== ==== END ==== Marks the end of the file. Can also be inside a file and might mark the end of a subchunk there? ==== GPUD ==== GPU Data? The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mipmaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. ==== TEXT ==== Texture information The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. ==== VB ==== Vertex buffer information The ''00000004.dat'' file contain the '''start address offset''' of the vertices and UV section in the '''GPUD'''. If the 3D mesh have multiples groups/sections, the VB file will store each address. 5351da2489a24cc28f6fb3660a9f50bb52ac053d 6244 6243 2017-09-23T16:38:50Z JayFoxRox 2 /* Hacky python script to extract PAK textures */ new section wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream (This uses a non-standard PAK format) To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for object : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) ---- === PAK File format === The PAK format is a chunked format. Each chunk starts with: * u32 chunk-type (can be interpreted as 4 byte ASCII magic) * u32 unknown * u32 size of chunk (excluding this field?) The chunk can contain compressed or uncompressed data. Compression is probably indicated by the upper bits of the size (0xC0000000) being set. Compression seems to be with a zlib header (<code>0x78, 0xDA</code>). Data can be inline, directly following the header. However, in INDX chunks, the data is pointed to by an extra u32 field after each header. ==== INDX ==== * u32: number of chunks * array of chunk headers, each with additional u32 field pointing to the data * array of chunk data ==== WMSH ==== The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. ==== MESH ==== Same as WMSH? ==== MAT ==== Material properties The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. ==== SKY ==== ==== WRAP ==== ==== INST ==== Header has some field set to != 0. Seems to contain subchunks which end with "END" chunk? ==== TIME ==== ==== RCAM ==== ==== ANIC ==== ==== ROUT ==== ==== RPRM ==== ==== RTMP ==== ==== GPUD ==== ==== GPUS ==== ==== TEX ==== ==== LGHT ==== ==== ACT ==== ==== INFO ==== ==== DRVP ==== ==== AUDI ==== ==== TVC ==== ==== END ==== Marks the end of the file. Can also be inside a file and might mark the end of a subchunk there? ==== GPUD ==== GPU Data? The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mipmaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. ==== TEXT ==== Texture information The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. ==== VB ==== Vertex buffer information The ''00000004.dat'' file contain the '''start address offset''' of the vertices and UV section in the '''GPUD'''. If the 3D mesh have multiples groups/sections, the VB file will store each address. == Hacky python script to extract PAK textures == <pre> #!/usr/bin/env python3 # Project Gotham Racing 2 (.pak) # Originally a script for QuickBMS http://quickbms.aluigi.org # comtype unzip_dynamic import sys import struct import zlib from PIL import Image def readLong(f): return struct.unpack('<I', f.read(4))[0] def clog(f, NAME, OFFSET, ZSIZE, SIZE): print('Exporting ' + NAME + ' (Compressed) from ' + str(OFFSET)) #FIXME: Export f.seek(OFFSET) compressed = f.read(ZSIZE) #print(compressed) data = bytes() try: decompress = zlib.decompressobj(15) for b in compressed: data += decompress.decompress(compressed) except: print("Decompression failed after " + str(len(data)) + ' / ' + str(SIZE) + ' bytes') with open(NAME, 'wb') as e: e.write(data) #print(data) return data def log(f, NAME, OFFSET, ZSIZE): f.seek(OFFSET) data = f.read(ZSIZE) print('Exporting ' + NAME) #FIXME: Export with open(NAME, 'wb') as e: e.write(data) return data textures = [] gpud = bytes([]) def readChunk(f, indexed = False): global gpud global textures print("At " + str(f.tell())) chunkType = f.read(4) NAME = chunkType.decode('ascii').rstrip('\0') # FIXME: Remove?! print("Found chunk " + NAME) DUMMY = readLong(f) SIZE = readLong(f) print("Dummy " + str(DUMMY)) print("Size " + str(SIZE)) if indexed == True: OFFSET = readLong(f) + 0xC else: OFFSET = f.tell() TMP = f.tell() if chunkType == b'INDX': print("Reading index?!") FILES = readLong(f) for i in range(0, FILES): readChunk(f, True) f.read(SIZE - FILES * 16 - 4) return elif chunkType == b'WMSH': pass elif chunkType == b'SKY\0': pass elif chunkType == b'WRAP': pass elif chunkType == b'INST': pass elif chunkType == b'MAT\0': pass elif chunkType == b'TIME': pass elif chunkType == b'RCAM': pass elif chunkType == b'ANIC': pass elif chunkType == b'ROUT': pass elif chunkType == b'RPRM': pass elif chunkType == b'RTMP': pass elif chunkType == b'GPUD': pass elif chunkType == b'GPUS': pass elif chunkType == b'TEX\0': pass elif chunkType == b'LGHT': pass elif chunkType == b'ACT\0': pass elif chunkType == b'VB\0\0': offset = readLong(f) #FIXME: Don't read here! print("VB at " + str(offset)) elif chunkType == b'INFO': pass elif chunkType == b'DRVP': pass elif chunkType == b'TVC\0': pass elif chunkType == b'MESH': pass elif chunkType == b'TEXT': pass elif chunkType == b'AUDI': pass elif chunkType == b'END\0': assert(SIZE == 0) return else: print("Unknown chunk type: " + NAME) print(chunkType) assert(False) f.seek(TMP) if indexed == True: f.seek(OFFSET) if SIZE & 0xC0000000: #FIXME: Figure out actual use of these 2 bits ZSIZE = SIZE & 0x3FFFFFFF SIZE = readLong(f) print("c-zSize is " + str(ZSIZE)) print("c-Size is " + str(SIZE)) OFFSET = f.tell() data = clog(f, NAME, OFFSET, ZSIZE - 4, SIZE) else: TMP_SIGN = f.read(4) if TMP_SIGN == b'COLR': ZERO = readLong(f) ZSIZE = readLong(f) SIZE = readLong(f) print("zSize is " + str(ZSIZE)) print("Size is " + str(SIZE)) OFFSET = f.tell() if ZSIZE & 0xC0000000: #FIXME: Figure out actual use of these 2 bits ZSIZE = ZSIZE & 0x3FFFFFFF print("c-zSize is " + str(ZSIZE)) data = clog(f, NAME, OFFSET, ZSIZE, SIZE) else: data = log(f, NAME, OFFSET, ZSIZE) else: data = log(f, NAME, OFFSET, SIZE) if chunkType == b'WMSH': offset = 52 for i in range(0, 1000): print(struct.unpack('<H', data[offset:offset+2])[0]) offset += 2 elif chunkType == b'GPUD': gpud = data offset = 87424 for i in range(0, 1000): if False: x = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 color = 0 print("v %f, %f, %f, 0x%08X" % (x, y, z, color)) # The start of the file is closer to this if False: x = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 color = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print("v %f, %f, %f, 0x%08X" % (x, y, z, color)) elif chunkType == b'TEXT': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " car texture(s):") for i in range(count): name = data[offset:offset+32] offset += 32 dataOffset = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(" Texture name: " + name.decode('ascii').rstrip('\0') + " @ " + str(dataOffset)) #FIXME: There is more data here, at least 4 byte! #count = struct.unpack('<I', data[offset:offset+4])[0] #print(str(count) + " Unknown(s):") elif chunkType == b'TEX\0': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " world texture(s):") for i in range(count): name = data[offset:offset+32] offset += 32 a1 = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 a2 = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 b = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 c = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 d = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 h = 1 << (a2 & 0xF) w = 1 << ((a2 >> 4) & 0xF) print("Size: " + str(w) + "x" + str(h) + " (End: 0x%08X)" % (b + (w * h * 4)//3)) someH = 1 << (d & 0xF) someW = 1 << ((d >> 4) & 0xF) print("Max. Size (?): " + str(someW) + "x" + str(someH)) #FIXME: a? gpudOffset = b #FIXME: c? #FIXME: d? texture = {} texture['name'] = name.decode('ascii').rstrip('\0') texture['offset'] = gpudOffset texture['width'] = w texture['height'] = h texture['format'] = a1 textures += [texture] print(" Texture name: " + texture['name'] + "\n @ 0x%04X 0x%04X 0x%08X 0x%08X 0x%08X " % (a1,a2,b,c,d)) print("\n") #FIXME: There is more data here, at least 4 byte! #count = struct.unpack('<I', data[offset:offset+4])[0] #print(str(count) + " Unknown(s):") elif chunkType == b'AUDI': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " audio sample(s) (???):") for i in range(count): name = data[offset:offset+4] offset += 4 print(" Name: " + str(name)) #FIXME: Read rest of data offset += 12 elif chunkType == b'MAT\0': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " material(s):") for i in range(count): a = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 b = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 c = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 d = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 print(" Material: 0x%04X, 0x%04X, 0x%04X, 0x%04X" % (a, b, c, d)) #FIXME: Read rest of data if indexed == True: f.seek(TMP) with open(sys.argv[1], 'rb') as f: while True: tmp = f.tell() try: if f.read(1) == b'': raise except: print("EOF?!") break f.seek(tmp) readChunk(f) for texture in textures: #with open(str(texture['name']) + ".raw",'wb') as e: # DXT3 = 1 byte per pixel print("Exporting " + texture['name'] + " (%d x %d)" % (texture['width'], texture['height'])) size = texture['width'] * texture['height'] if texture['width'] < 4: print("Texture too small!") # FIXME!!! continue data = gpud[texture['offset']:texture['offset']+size] if texture['format'] == 0x0414: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x041C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x021C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 1) else: print("Unknown format! 0x%04X" % texture['format']) image = None if image: image.save(texture['name'] + "-0x%04X" % texture['format'] + ".png") #e.write() </pre> --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 09:38, 23 September 2017 (PDT) 761f0bd5c2fcfd42e9e41f0d47c07b70dc679188 6245 6244 2017-09-23T19:09:49Z JayFoxRox 2 /* Hacky python script to extract PAK textures */ wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream (This uses a non-standard PAK format) To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for object : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) ---- === PAK File format === The PAK format is a chunked format. Each chunk starts with: * u32 chunk-type (can be interpreted as 4 byte ASCII magic) * u32 unknown * u32 size of chunk (excluding this field?) The chunk can contain compressed or uncompressed data. Compression is probably indicated by the upper bits of the size (0xC0000000) being set. Compression seems to be with a zlib header (<code>0x78, 0xDA</code>). Data can be inline, directly following the header. However, in INDX chunks, the data is pointed to by an extra u32 field after each header. ==== INDX ==== * u32: number of chunks * array of chunk headers, each with additional u32 field pointing to the data * array of chunk data ==== WMSH ==== The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. ==== MESH ==== Same as WMSH? ==== MAT ==== Material properties The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. ==== SKY ==== ==== WRAP ==== ==== INST ==== Header has some field set to != 0. Seems to contain subchunks which end with "END" chunk? ==== TIME ==== ==== RCAM ==== ==== ANIC ==== ==== ROUT ==== ==== RPRM ==== ==== RTMP ==== ==== GPUD ==== ==== GPUS ==== ==== TEX ==== ==== LGHT ==== ==== ACT ==== ==== INFO ==== ==== DRVP ==== ==== AUDI ==== ==== TVC ==== ==== END ==== Marks the end of the file. Can also be inside a file and might mark the end of a subchunk there? ==== GPUD ==== GPU Data? The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mipmaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. ==== TEXT ==== Texture information The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. ==== VB ==== Vertex buffer information The ''00000004.dat'' file contain the '''start address offset''' of the vertices and UV section in the '''GPUD'''. If the 3D mesh have multiples groups/sections, the VB file will store each address. == Hacky python script to extract PAK textures == <pre> #!/usr/bin/env python3 # Project Gotham Racing 2 (.pak) # Originally a script for QuickBMS http://quickbms.aluigi.org # comtype unzip_dynamic import sys import struct import zlib from PIL import Image # Array entries to export for debug purposes N = 20 def readLong(f): return struct.unpack('<I', f.read(4))[0] def clog(f, NAME, OFFSET, ZSIZE, SIZE): print('Exporting ' + NAME + ' (Compressed) from ' + str(OFFSET)) #FIXME: Export f.seek(OFFSET) compressed = f.read(ZSIZE) #print(compressed) data = bytes() try: decompress = zlib.decompressobj(15) for b in compressed: data += decompress.decompress(compressed) except: print("Decompression failed after " + str(len(data)) + ' / ' + str(SIZE) + ' bytes') with open(NAME, 'wb') as e: e.write(data) #print(data) return data def log(f, NAME, OFFSET, ZSIZE): f.seek(OFFSET) data = f.read(ZSIZE) print('Exporting ' + NAME) #FIXME: Export with open(NAME, 'wb') as e: e.write(data) return data textures = [] vbs = [] meshs = [] gpud = bytes([]) def readChunks(f): while True: chunk = readChunk(f) if chunk['type'] == b'END\0': break def readChunk(f, indexed = False): global gpud global textures global vbs global meshs print("At " + str(f.tell())) chunkType = f.read(4) NAME = chunkType.decode('ascii').rstrip('\0') # FIXME: Remove?! print("Found chunk " + NAME) DUMMY = readLong(f) SIZE = readLong(f) chunk = {} chunk['type'] = chunkType chunk['size'] = SIZE if DUMMY: chunk['children'] = [] print("Dummy " + str(DUMMY)) print("Size " + str(SIZE)) if indexed == True: OFFSET = readLong(f) + 0xC print("Offset " + str(OFFSET)) chunk['offset'] = OFFSET else: OFFSET = f.tell() TMP = f.tell() if chunkType == b'INDX': print("Reading index?!") FILES = readLong(f) for i in range(0, FILES): readChunk(f, True) f.read(SIZE - FILES * 16 - 4) return chunk elif chunkType == b'WMSH': pass elif chunkType == b'SKY\0': pass elif chunkType == b'WRAP': pass elif chunkType == b'INST': pass elif chunkType == b'MAT\0': pass elif chunkType == b'TIME': pass elif chunkType == b'RCAM': pass elif chunkType == b'ANIC': pass elif chunkType == b'ROUT': pass elif chunkType == b'RPRM': pass elif chunkType == b'RTMP': # Much like INDX? pass elif chunkType == b'GPUD': pass elif chunkType == b'GPUS': pass elif chunkType == b'TEX\0': pass elif chunkType == b'LGHT': pass elif chunkType == b'ACT\0': pass elif chunkType == b'VB\0\0': pass elif chunkType == b'INFO': pass elif chunkType == b'DRVP': pass elif chunkType == b'TVC\0': pass elif chunkType == b'MESH': pass elif chunkType == b'COLR': pass elif chunkType == b'TEXT': pass elif chunkType == b'AUDI': pass elif chunkType == b'END\0': assert(SIZE == 0) return chunk else: print("Unknown chunk type: " + NAME) print(chunkType) assert(False) f.seek(TMP) if indexed == True: f.seek(OFFSET) # Nested if(DUMMY == 1): chunk['children'] = readChunks(f) f.seek(TMP) return chunk #FIXME: RTMP has DUMMY = 2! if DUMMY == 2: print("Not sure how to handle DUMMY = 2") if SIZE & 0xC0000000: #FIXME: Figure out actual use of these 2 bits ZSIZE = SIZE & 0x3FFFFFFF SIZE = readLong(f) print("c-zSize is " + str(ZSIZE)) print("c-Size is " + str(SIZE)) OFFSET = f.tell() data = clog(f, NAME, OFFSET, ZSIZE - 4, SIZE) else: data = log(f, NAME, OFFSET, SIZE) if chunkType == b'WMSH': offset = 52 for i in range(0, N): print(struct.unpack('<H', data[offset:offset+2])[0]) offset += 2 elif chunkType == b'GPUD': gpud = data offset = 87424 for i in range(0, N): if False: x = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 color = 0 print("v %f, %f, %f, 0x%08X" % (x, y, z, color)) # The start of the file is closer to this if False: x = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 color = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print("v %f, %f, %f, 0x%08X" % (x, y, z, color)) elif chunkType == b'TEXT': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " car texture(s):") for i in range(count): name = data[offset:offset+32] offset += 32 fmt = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 dim = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 dataOffset = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 texture = {} texture['name'] = name.decode('ascii').rstrip('\0') print("0x%04X" % dim) texture['width'] = 1 << ((dim >> 4) & 0xF) texture['height'] = 1 << (dim & 0xF) texture['format'] = fmt texture['offset'] = dataOffset textures += [texture] print(" Texture name: " + texture['name']) #FIXME: There is more data here, at least 4 byte! #count = struct.unpack('<I', data[offset:offset+4])[0] #print(str(count) + " Unknown(s):") elif chunkType == b'TEX\0': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " world texture(s):") for i in range(count): name = data[offset:offset+32] offset += 32 a1 = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 a2 = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 b = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 c = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 d = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 h = 1 << (a2 & 0xF) w = 1 << ((a2 >> 4) & 0xF) print("Size: " + str(w) + "x" + str(h) + " (End: 0x%08X)" % (b + (w * h * 4)//3)) someH = 1 << (d & 0xF) someW = 1 << ((d >> 4) & 0xF) print("Max. Size (?): " + str(someW) + "x" + str(someH)) #FIXME: a? gpudOffset = b #FIXME: c? #FIXME: d? texture = {} texture['name'] = name.decode('ascii').rstrip('\0') texture['offset'] = gpudOffset texture['width'] = w texture['height'] = h texture['format'] = a1 textures += [texture] print(" Texture name: " + texture['name'] + "\n @ 0x%04X 0x%04X 0x%08X 0x%08X 0x%08X " % (a1,a2,b,c,d)) print("\n") #FIXME: There is more data here, at least 4 byte! #count = struct.unpack('<I', data[offset:offset+4])[0] #print(str(count) + " Unknown(s):") elif chunkType == b'VB\0\0': vb = {} for i in range(0, SIZE, 4): vb['offset'] = struct.unpack('<I', data[i:i+4])[0] vbs += [vb] elif chunkType == b'MESH' or chunkType == b'WMSH': # Originally written for MESH, also might work for WMSH offset = 52 indices = [] for i in range(0, 20000): #FIXME: Number of indices j = struct.unpack('<H', data[offset:offset+2])[0] indices += [j] offset += 2 mesh = {} mesh['indices'] = indices meshs += [mesh] elif chunkType == b'AUDI': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " audio sample(s) (???):") for i in range(count): name = data[offset:offset+4] offset += 4 print(" Name: " + str(name)) #FIXME: Read rest of data offset += 12 elif chunkType == b'MAT\0': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " material(s):") for i in range(count): a = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 b = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 c = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 d = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 print(" Material: 0x%04X, 0x%04X, 0x%04X, 0x%04X" % (a, b, c, d)) #FIXME: Read rest of data if indexed == True: f.seek(TMP) return chunk with open(sys.argv[1], 'rb') as f: while True: tmp = f.tell() try: if f.read(1) == b'': raise except: print("EOF?!") break f.seek(tmp) readChunks(f) with open('test.obj', 'w') as e: for vb in vbs: print("VB: " + str(vb['offset'])) offset = vb['offset'] for i in range(0, 100): print(i) # Helper so we can figure out when the parser hangs x = 0 y = 0 z = 0 u = 0 v = 0 if False: # /tmp/240Z.pak_hrd x = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 y = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 z = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 offset += 4 #FIXME: Fix scale u = struct.unpack('<h', gpud[offset:offset+2])[0] / 512 offset += 2 v = struct.unpack('<h', gpud[offset:offset+2])[0] / 512 offset += 2 if True: # /tmp/Red Cone.pak #FIXME: Broken still! x = struct.unpack('<f', gpud[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', gpud[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', gpud[offset:offset+4])[0] offset += 4 offset += 6 print("xyz: %f %f %f; uv: %f %f" % (x,y,z, u,v)) e.write('v %f %f %f\n' % (x,y,z)) e.write('vt %f %f\n' % (u,v)) for mesh in meshs: c = -1 b = -1 a = -1 for i in mesh['indices']: c = b b = a a = i + 1 if c >= 0: e.write('f %d/%d %d/%d %d/%d\n' % (c,c,b,b,a,a)) for texture in textures: #with open(str(texture['name']) + ".raw",'wb') as e: # DXT3 = 1 byte per pixel print("Exporting " + texture['name'] + " (%d x %d)" % (texture['width'], texture['height'])) size = texture['width'] * texture['height'] if texture['width'] < 4: print("Texture too small!") # FIXME!!! continue data = gpud[texture['offset']:texture['offset']+size] if texture['format'] == 0x0414: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x040C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x041C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x021C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 1) else: print("Unknown format! 0x%04X" % texture['format']) image = None if image: image.save('textures/' + texture['name'] + "-0x%04X" % texture['format'] + ".png") #e.write() </pre> --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 09:38, 23 September 2017 (PDT) de0ee7c0879ad6fb465899e2754785651094db8c 6246 6245 2017-09-24T09:12:31Z JayFoxRox 2 Updated, but still broken wikitext text/x-wiki == Reverse engineering notes for file formats == --[[User:Zaykho|Zaykho]] ([[User talk:Zaykho|talk]]) 10:34, 22 September 2017 (PDT) Project Gotham Racing 2 use a .PAK container for storing 3D elements, textures and 3D configurations files. Multiple types of .PAK name can be seen in PGR2, their names are related to their functions and indicate what type of elements are stored: '''.PAK for objects''' ( Cache\Objects & Cache\Cars ) ---- .pak '''.PAK for cars''' ( Cache\Cars ) ---- .pak_cth .pak_hrd .pak_opn ( only for roadster : open mode) .pak_sft ( only for roadster : closed mode for rain) '''.PAK for maps''' ( Game\Areas ) ---- .pak_common .pak_day .pak_night .pak_overcast .pak_stream (This uses a non-standard PAK format) To extract those .PAK files, a tool called [http://aluigi.altervista.org/quickbms.htm quickbms] and a [http://aluigi.altervista.org/bms/project_gotham_2_pak.bms PGR2 bms script] ( both made by Luigi Auriemma ) can be used to get most of the contents stored in the archive. When extracted, the content stored in the archive is sliced in sections, creating a folder for each of them and joining a file with the actual contents in it, mostly with a '''.dat''' suffix. Here an example for objects: '''.PAK for object : red_cone.pak ''' ---- WMSH \ 00000000.dat MAT \ 00000001.dat GPUD \ 00000002.dat TEXT \ 00000003.nfc VB \ 00000004.dat END ( nothing, no folder, no files ) ---- === PAK File format === The PAK format is a chunked format. Each chunk starts with: * u32 chunk-type (can be interpreted as 4 byte ASCII magic) * u32 unknown * u32 size of chunk (excluding this field?) The chunk can contain compressed or uncompressed data. Compression is probably indicated by the upper bits of the size (0xC0000000) being set. Compression seems to be with a zlib header (<code>0x78, 0xDA</code>). Data can be inline, directly following the header. However, in INDX chunks, the data is pointed to by an extra u32 field after each header. ==== INDX ==== * u32: number of chunks * array of chunk headers, each with additional u32 field pointing to the data * array of chunk data ==== WMSH ==== The ''00000000.dat'' file contain the '''faces indices''', and ''supposedly'', the '''strip''' and the how the vertices are read '''( float, word ? )'''. ==== MESH ==== Same as WMSH? ==== MAT ==== Material properties The ''00000001.dat'' file contain the '''material''' properties : diffuse, specular, ambient etc... of each material applied to the 3D file. ==== SKY ==== ==== WRAP ==== ==== INST ==== Header has some field set to != 0. Seems to contain subchunks which end with "END" chunk? ==== TIME ==== ==== RCAM ==== ==== ANIC ==== ==== ROUT ==== ==== RPRM ==== ==== RTMP ==== ==== GPUD ==== ==== GPUS ==== ==== TEX ==== ==== LGHT ==== ==== ACT ==== ==== INFO ==== ==== DRVP ==== ==== AUDI ==== ==== TVC ==== ==== END ==== Marks the end of the file. Can also be inside a file and might mark the end of a subchunk there? ==== GPUD ==== GPU Data? The ''00000002.dat'' file contain all the '''textures''', each of them followed by a small part of data ''( texture configuration ? mipmaps ? )''. Finally, after all the textures, the '''vertices and UV position''' are stored in one chunk of data. ==== TEXT ==== Texture information The ''00000003.dat'' file contain all the '''text and name''' related to the texture, it also indicate where each textures are located inside '''GPUD'''. ==== VB ==== Vertex buffer information The ''00000004.dat'' file contain the '''start address offset''' of the vertices and UV section in the '''GPUD'''. If the 3D mesh have multiples groups/sections, the VB file will store each address. == Hacky python script to extract PAK textures == <pre> #!/usr/bin/env python3 # Project Gotham Racing 2 (.pak) # Originally a script for QuickBMS http://quickbms.aluigi.org # comtype unzip_dynamic import sys import struct import zlib from PIL import Image # Array entries to export for debug purposes N = 20 def readLong(f): return struct.unpack('<I', f.read(4))[0] def clog(f, NAME, OFFSET, ZSIZE, SIZE): print('Exporting ' + NAME + ' (Compressed) from ' + str(OFFSET)) #FIXME: Export f.seek(OFFSET) compressed = f.read(ZSIZE) #print(compressed) data = bytes() try: decompress = zlib.decompressobj(15) for b in compressed: data += decompress.decompress(compressed) raise except: print("Decompression failed after " + str(len(data)) + ' / ' + str(SIZE) + ' bytes') with open(NAME, 'wb') as e: e.write(data) #print(data) return data def log(f, NAME, OFFSET, ZSIZE): f.seek(OFFSET) data = f.read(ZSIZE) print('Exporting ' + NAME) #FIXME: Export with open(NAME, 'wb') as e: e.write(data) return data textures = [] vbs = [] meshs = [] gpud = bytes([]) def readChunks(f): while True: chunk = readChunk(f) if chunk['type'] == b'END\0': break def readChunk(f, indexed = False): global gpud global textures global vbs global meshs print("At " + str(f.tell())) chunkType = f.read(4) NAME = chunkType.decode('ascii').rstrip('\0') # FIXME: Remove?! print("Found chunk " + NAME) DUMMY = readLong(f) SIZE = readLong(f) chunk = {} chunk['type'] = chunkType chunk['size'] = SIZE if DUMMY: chunk['children'] = [] print("Dummy " + str(DUMMY)) print("Size " + str(SIZE)) if indexed == True: OFFSET = readLong(f) + 0xC print("Offset " + str(OFFSET)) chunk['offset'] = OFFSET else: OFFSET = f.tell() TMP = f.tell() if chunkType == b'INDX': print("Reading index?!") FILES = readLong(f) for i in range(0, FILES): readChunk(f, True) f.read(SIZE - FILES * 16 - 4) return chunk elif chunkType == b'WMSH': pass elif chunkType == b'SKY\0': pass elif chunkType == b'WRAP': pass elif chunkType == b'INST': pass elif chunkType == b'MAT\0': pass elif chunkType == b'TIME': pass elif chunkType == b'RCAM': pass elif chunkType == b'ANIC': pass elif chunkType == b'ROUT': pass elif chunkType == b'RPRM': pass elif chunkType == b'RTMP': # Much like INDX? pass elif chunkType == b'GPUD': pass elif chunkType == b'GPUS': pass elif chunkType == b'TEX\0': pass elif chunkType == b'LGHT': pass elif chunkType == b'ACT\0': pass elif chunkType == b'VB\0\0': pass elif chunkType == b'INFO': pass elif chunkType == b'DRVP': pass elif chunkType == b'TVC\0': pass elif chunkType == b'MESH': pass elif chunkType == b'COLR': pass elif chunkType == b'TEXT': pass elif chunkType == b'AUDI': pass elif chunkType == b'END\0': assert(SIZE == 0) return chunk else: print("Unknown chunk type: " + NAME) print(chunkType) assert(False) f.seek(TMP) if indexed == True: f.seek(OFFSET) # Nested if(DUMMY == 1): chunk['children'] = readChunks(f) f.seek(TMP) return chunk #FIXME: RTMP has DUMMY = 2! if DUMMY == 2: print("Not sure how to handle DUMMY = 2") if SIZE & 0xC0000000: #FIXME: Figure out actual use of these 2 bits ZSIZE = SIZE & 0x3FFFFFFF SIZE = readLong(f) print("c-zSize is " + str(ZSIZE)) print("c-Size is " + str(SIZE)) OFFSET = f.tell() data = clog(f, NAME, OFFSET, ZSIZE - 4, SIZE) else: data = log(f, NAME, OFFSET, SIZE) if chunkType == b'GPUD': gpud = data offset = 87424 for i in range(0, N): if False: x = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 color = 0 print("v %f, %f, %f, 0x%08X" % (x, y, z, color)) # The start of the file is closer to this if False: x = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', data[offset:offset+4])[0] offset += 4 color = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print("v %f, %f, %f, 0x%08X" % (x, y, z, color)) elif chunkType == b'TEXT': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " car texture(s):") for i in range(count): name = data[offset:offset+32] offset += 32 fmt = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 dim = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 dataOffset = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 texture = {} texture['name'] = name.decode('ascii').rstrip('\0') print("0x%04X" % dim) texture['width'] = 1 << ((dim >> 4) & 0xF) texture['height'] = 1 << (dim & 0xF) texture['format'] = fmt texture['offset'] = dataOffset textures += [texture] print(" Texture name: " + texture['name']) #FIXME: There is more data here, at least 4 byte! #count = struct.unpack('<I', data[offset:offset+4])[0] #print(str(count) + " Unknown(s):") elif chunkType == b'TEX\0': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " world texture(s):") for i in range(count): name = data[offset:offset+32] offset += 32 a1 = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 a2 = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 b = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 c = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 d = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 h = 1 << (a2 & 0xF) w = 1 << ((a2 >> 4) & 0xF) print("Size: " + str(w) + "x" + str(h) + " (End: 0x%08X)" % (b + (w * h * 4)//3)) someH = 1 << (d & 0xF) someW = 1 << ((d >> 4) & 0xF) print("Max. Size (?): " + str(someW) + "x" + str(someH)) #FIXME: a? gpudOffset = b #FIXME: c? #FIXME: d? texture = {} texture['name'] = name.decode('ascii').rstrip('\0') texture['offset'] = gpudOffset texture['width'] = w texture['height'] = h texture['format'] = a1 textures += [texture] print(" Texture name: " + texture['name'] + "\n @ 0x%04X 0x%04X 0x%08X 0x%08X 0x%08X " % (a1,a2,b,c,d)) print("\n") #FIXME: There is more data here, at least 4 byte! #count = struct.unpack('<I', data[offset:offset+4])[0] #print(str(count) + " Unknown(s):") elif chunkType == b'VB\0\0': vb = {} for i in range(0, SIZE, 4): vb['offset'] = struct.unpack('<I', data[i:i+4])[0] vbs += [vb] elif chunkType == b'MESH' or chunkType == b'WMSH': # Originally written for MESH, also might work for WMSH offset = 42 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print("Index count might be " + str(count)) unk = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print("Unk " + str(unk)) #FIXME: what is this? always zero?! offset += 2 indices = [] for i in range(0, count): #FIXME: Number of indices j = struct.unpack('<H', data[offset:offset+2])[0] indices += [j] offset += 2 if False: #FIXME: Very much WIP.. only developing this for WMSH # (MESH seems to be slightly different) # Align to next 4 byte barrier #offset += 3 #offset &= ~3 batchCount = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 print("Batches " + str(batchCount)) if batchCount > 0: # Format and len until first primitive restart or something? for i in range(0, batchCount): #FIXME: Number of indices per batch in 32 bit?! x = struct.unpack('<I', data[offset:offset+4])[0] print(" A: " + str(x)) offset += 4 for i in range(0, batchCount): #FIXME: Same as before but in 16 bit?! x = struct.unpack('<H', data[offset:offset+2])[0] print(" B: " + str(x)) offset += 2 # We need at least one batch batchCount = max(1, batchCount) for i in range(0, batchCount): x = struct.unpack('<BBBBBB', data[offset:offset+6]) offset += 6 print("data: %02X %02X %02X %02X %02X %02X" % x) # FIXME: How to get here on our own?! assert(offset == (len(data) - batchCount * 2)) totalSize = 0 for i in range(0, batchCount): batchSize = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 totalSize += batchSize print(" Batch size is " + str(batchSize) + " total: " + str(totalSize)) mesh = {} mesh['indices'] = indices meshs += [mesh] elif chunkType == b'AUDI': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " audio sample(s) (???):") for i in range(count): name = data[offset:offset+4] offset += 4 print(" Name: " + str(name)) #FIXME: Read rest of data offset += 12 elif chunkType == b'MAT\0': offset = 0 count = struct.unpack('<I', data[offset:offset+4])[0] offset += 4 print(str(count) + " material(s):") for i in range(count): a = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 b = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 c = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 d = struct.unpack('<H', data[offset:offset+2])[0] offset += 2 print(" Material: 0x%04X, 0x%04X, 0x%04X, 0x%04X" % (a, b, c, d)) #FIXME: Read rest of data if indexed == True: f.seek(TMP) return chunk with open(sys.argv[1], 'rb') as f: while True: tmp = f.tell() try: if f.read(1) == b'': raise except: print("EOF?!") break f.seek(tmp) readChunks(f) with open('test.obj', 'w') as e: for vb in vbs: print("VB: " + str(vb['offset'])) offset = vb['offset'] for i in range(0, 138): print(i) # Helper so we can figure out when the parser hangs x = 0 y = 0 z = 0 u = 0 v = 0 if False: # /tmp/240Z.pak_hrd x = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 y = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 z = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 offset += 4 #FIXME: Fix scale u = struct.unpack('<h', gpud[offset:offset+2])[0] / 512 offset += 2 v = struct.unpack('<h', gpud[offset:offset+2])[0] / 512 offset += 2 if False: # /tmp/sharkfin.pak # Presumably: 17? verts, each 20? bytes # 25 indices # xyz uv x = struct.unpack('<i', gpud[offset:offset+4])[0] offset += 4 y = struct.unpack('<i', gpud[offset:offset+4])[0] offset += 4 z = struct.unpack('<i', gpud[offset:offset+4])[0] offset += 4 #FIXME: Fix scale u = struct.unpack('<i', gpud[offset:offset+4])[0] offset += 4 v = struct.unpack('<i', gpud[offset:offset+4])[0] offset += 4 if True: # /tmp/Red Cone.pak # Presumably: 137 verts, each 24 bytes # 205 indices #FIXME: Broken still! Mostly works but contains garbage data x = struct.unpack('<f', gpud[offset:offset+4])[0] offset += 4 y = struct.unpack('<f', gpud[offset:offset+4])[0] offset += 4 z = struct.unpack('<f', gpud[offset:offset+4])[0] offset += 4 u = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 v = struct.unpack('<h', gpud[offset:offset+2])[0] offset += 2 offset += 4 offset += 4 #FIXME: Fix scale u /= 8192 v /= 8192 print("xyz: %f %f %f; uv: %f %f" % (x,y,z, u,v)) e.write('v %f %f %f\n' % (x,y,z)) e.write('vt %f %f\n' % (u,v)) for mesh in meshs: c = -1 b = -1 a = -1 for i in mesh['indices']: c = b b = a a = i + 1 if c >= 0: e.write('f %d/%d %d/%d %d/%d\n' % (c,c,b,b,a,a)) for texture in textures: #with open(str(texture['name']) + ".raw",'wb') as e: # DXT3 = 1 byte per pixel print("Exporting " + texture['name'] + " (%d x %d)" % (texture['width'], texture['height'])) size = texture['width'] * texture['height'] if texture['width'] < 4: print("Texture too small!") # FIXME!!! continue data = gpud[texture['offset']:texture['offset']+size] if texture['format'] == 0x0414: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x040C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x041C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 3) elif texture['format'] == 0x021C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 1) elif texture['format'] == 0x020C: image = Image.frombytes('RGBA', (texture['width'], texture['height']), data, 'bcn', 1) else: print("Unknown format! 0x%04X" % texture['format']) image = None if image: image.save('textures/' + texture['name'] + "-0x%04X" % texture['format'] + ".png") #e.write() </pre> --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 09:38, 23 September 2017 (PDT) e5c44d24c65b731be74599b7f08939bd49aa78ed 0 1 6248 6002 2017-09-25T17:29:06Z Codeasm 2480 /* Hardware */ added smbus details wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] 7bb460add64a0e0bbf64f5069bb2250cf7577e33 0 1 6249 6248 2017-09-25T18:22:55Z Codeasm 2480 /* Hardware */ O my... anyway... wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus_Controller]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] 70e795268c81c7996a8d9029fc1730e3405e7d6d 6251 6249 2017-09-25T18:27:24Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] * [[EEPROM]] * [[SMC]] * [[Video Encoder]] ** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] 7bb460add64a0e0bbf64f5069bb2250cf7577e33 6252 6251 2017-09-25T18:28:38Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] 1a550d51153dbd022d2acca86973739d1c65b356 0 3766 6250 5540 2017-09-25T18:26:37Z JayFoxRox 2 JayFoxRox moved page [[SMBus Controller]] to [[SMBus]] without leaving a redirect wikitext text/x-wiki Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connected through an I²C/SMbus interface. I²C/SMBus is a slow low-cost serial bus with each device having a unique 7-bit ID. (Wikipedia has informative articles about [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/I2c I²C] and [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/SMBus SMBus], you might want to check them out.) There are only two operations of an SMBus controller: write and read. Writing means that an 8 bit command code and an 8 or 16 bit operand are sent to an SMBus device. Reading means that an 8 bit command code is sent to the device and an 8 or 16 bit answer is expected. The controller for the SMBus interface in the Xbox is a PCI device with the DevID 01B4 and it is built into MPCX southbridge. ==SMBus Controller Port Layout== {| class="wikitable" |- | '''Port''' | Description'''''' |- | 0xc000 | '''Status''' bit 0: abort bit 1: collision bit 2: protocol error bit 3: busy bit 4: cycle complete bit 5: timeout |- | 0xc002 | '''Control''' bit 2-0: cycle type bit 3: start bit 4: enable interrupt bit 5: abort |- | 0xc004 | '''Address''' |- | 0xc006 | '''Data''' |- | 0xc008 | '''Command''' |} This is very similar (but not identical) to the AMD756/AMD766/AMD768 SMBus controllers. The [https://web.archive.org/web/20100617015507/http://www.lm-sensors.nu/ lm_sensors project] includes GPLed Linux kernel code for it since version 2.6.4 (kernel/busses/i2c-amd756.c). ==SMBus Controller Programming== The following two routines illustrate how to read and write data from and to an SMBus device: <pre> int SMBusWriteCommand(unsigned char slave, unsigned char command, int isWord, unsigned short data) { again: _outp(0xc004, (slave&lt;&lt;1)&amp;0xfe); _outp(0xc008, command); _outpw(0xc006, data); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ return 1; } </pre> <pre> int SMBusReadCommand(unsigned char slave, unsigned char command, int isWord, unsigned short *data) { again: _outp(0xc004, (slave&lt;&lt;1)|0x01); _outp(0xc008, command); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ *data = _inpw(0xc006); return 1; } </pre> <br /> To avoid busy waiting of the CPU, the SMBus controller can also issue an interrupt when the operation is complete, by setting bit #4 in the control port when initiating the transfer. ==Xbox SMBus Devices== The following four devices are connected to the Xbox SMBus: {| class="wikitable" |- | '''Device''' | '''Hardware Address''' | '''Software Address''' |- | PIC16LC | 0x10 | 0x20 |- | Conexant CX25871 Video Encoder | 0x45 | 0x8a |- | ADM1032 System Temperature Monitor | 0x4c | 0x98 |- | Serial EEPROM | 0x54 | 0xa8 |} Do not confuse the hardware with the software addresses: The software ID is the hardware ID shifted by one bit left. The code above expects the hardware ID. Actually, these addresses are not literally accurate; you find that the hardware address is 0x54 for the EEPROM: the actual address of the EEPROM on the i2c bus is 1010 (0xa), however, you will also notice that 0x54 is '''1010'''100 in binary, and it seems that this 100 is also appended onto the other devices as well (although their software address is naturally read as say '''1010'''1000 - obviously because of the left shifting, however, it could be speculated that it would be possible to communicate with devices over the SMBus that are connected via i2c, so long as you knew their base address. 3a69b0c66e1241a06ff935ae9d441adc2dc4fd3b 6259 6250 2017-09-26T20:28:56Z JayFoxRox 2 /* SMBus Controller Port Layout */ wikitext text/x-wiki Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connected through an I²C/SMbus interface. I²C/SMBus is a slow low-cost serial bus with each device having a unique 7-bit ID. (Wikipedia has informative articles about [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/I2c I²C] and [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/SMBus SMBus], you might want to check them out.) There are only two operations of an SMBus controller: write and read. Writing means that an 8 bit command code and an 8 or 16 bit operand are sent to an SMBus device. Reading means that an 8 bit command code is sent to the device and an 8 or 16 bit answer is expected. The controller for the SMBus interface in the Xbox is a PCI device with the DevID 01B4 and it is built into MPCX southbridge. ==SMBus Controller Port Layout== {| class="wikitable" |- ! Port !! Description |- | 0xC000 | '''Status''' * bit 0: abort * bit 1: collision * bit 2: protocol error * bit 3: busy * bit 4: cycle complete * bit 5: timeout |- | 0xC002 | '''Control''' * bit 2-0: cycle type * bit 3: start * bit 4: enable interrupt * bit 5: abort |- | 0xC004 | '''Address''' |- | 0xC006 | '''Data''' |- | 0xC008 | '''Command''' |} This is very similar (but not identical) to the AMD756/AMD766/AMD768 SMBus controllers. The [https://web.archive.org/web/20100617015507/http://www.lm-sensors.nu/ lm_sensors project] includes GPLed Linux kernel code for it since version 2.6.4 (kernel/busses/i2c-amd756.c). ==SMBus Controller Programming== The following two routines illustrate how to read and write data from and to an SMBus device: <pre> int SMBusWriteCommand(unsigned char slave, unsigned char command, int isWord, unsigned short data) { again: _outp(0xc004, (slave&lt;&lt;1)&amp;0xfe); _outp(0xc008, command); _outpw(0xc006, data); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ return 1; } </pre> <pre> int SMBusReadCommand(unsigned char slave, unsigned char command, int isWord, unsigned short *data) { again: _outp(0xc004, (slave&lt;&lt;1)|0x01); _outp(0xc008, command); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ *data = _inpw(0xc006); return 1; } </pre> <br /> To avoid busy waiting of the CPU, the SMBus controller can also issue an interrupt when the operation is complete, by setting bit #4 in the control port when initiating the transfer. ==Xbox SMBus Devices== The following four devices are connected to the Xbox SMBus: {| class="wikitable" |- | '''Device''' | '''Hardware Address''' | '''Software Address''' |- | PIC16LC | 0x10 | 0x20 |- | Conexant CX25871 Video Encoder | 0x45 | 0x8a |- | ADM1032 System Temperature Monitor | 0x4c | 0x98 |- | Serial EEPROM | 0x54 | 0xa8 |} Do not confuse the hardware with the software addresses: The software ID is the hardware ID shifted by one bit left. The code above expects the hardware ID. Actually, these addresses are not literally accurate; you find that the hardware address is 0x54 for the EEPROM: the actual address of the EEPROM on the i2c bus is 1010 (0xa), however, you will also notice that 0x54 is '''1010'''100 in binary, and it seems that this 100 is also appended onto the other devices as well (although their software address is naturally read as say '''1010'''1000 - obviously because of the left shifting, however, it could be speculated that it would be possible to communicate with devices over the SMBus that are connected via i2c, so long as you knew their base address. 41b9b1a04849888190f4f51d32f69fb9201db222 2 3729 6253 5912 2017-09-25T18:54:38Z Codeasm 2480 Xbox led error codes wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. c6b5702ecaed98e917f98142e184b823c80a8fdf 6254 6253 2017-09-26T06:30:38Z Codeasm 2480 /* GREEN/RED Flashing */ wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === 2 reboots then GREEN/RED Flashing === FRAG, dead {citation needed} === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. 38b910f010ed71b4426393ba6acc68de2c82f2bd 6255 6254 2017-09-26T07:14:38Z Codeasm 2480 /* 2 reboots then GREEN/RED Flashing */ wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === 2 reboots then GREEN/RED Flashing === FRAG, dead {{citation needed|reason=mine is dead, some other xboxes are dead, but are they dead? cant be fixed and reason unkown? Mine had a leaking clockcap}}. === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. 2abc2e67d9d3826cfe73e55f290c135855f74bb4 6256 6255 2017-09-26T07:23:29Z Codeasm 2480 /* Xbox led error codes */ wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === 2 reboots then GREEN/RED Flashing === FRAG, dead {{citation needed|reason=mine is dead, some other xboxes are dead, but are they dead? cant be fixed and reason unkown? Mine had a leaking clockcap}}. === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. === 3/4 GREEN 1/4 RED === DVD not properly connected or faulty dvd board {{citation needed|reason=havent tested this one myself}} === 3/4 RED 1/4 GREEN === Harddisk faulty, or not properly connected {{citation needed|reason=havent tested this one myself}} === RED/ORANGE Flashing === Bad RAM, solderjoint near RAM or other RAM related problem. Did you replace/added RAM? That might be the problem.{{citation needed|reason=havent tested this one myself, never replaced ram.}} == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. 60fedc4777f7e98b49f80fb7887f64a790a2106f 6257 6256 2017-09-26T08:41:57Z Codeasm 2480 /* 2 reboots then GREEN/RED Flashing */ Extra details for frags wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === 2 reboots then GREEN/RED Flashing === FRAG, dead {{citation needed|reason=mine is dead, some other xboxes are dead, but are they dead? cant be fixed and reason unkown? Mine had a leaking clockcap}}. NO AV, if AV turns on with a code, its NOT a frag. The 1.0 - 1.5 xbox revisions will leave the power on and "frags". The 1.6 and 1.6b xboxes will turn the power off.[https://assemblergames.com/threads/xbox-flashing-red-and-green.64852/page-2 source] === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. === 3/4 GREEN 1/4 RED === DVD not properly connected or faulty dvd board {{citation needed|reason=havent tested this one myself}} === 3/4 RED 1/4 GREEN === Harddisk faulty, or not properly connected {{citation needed|reason=havent tested this one myself}} === RED/ORANGE Flashing === Bad RAM, solderjoint near RAM or other RAM related problem. Did you replace/added RAM? That might be the problem.{{citation needed|reason=havent tested this one myself, never replaced ram.}} == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. 975e7c1c8cf8c35a01cf697f9cd8f9613072730a 6258 6257 2017-09-26T08:46:20Z Codeasm 2480 /* Xbox led error codes */ wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == this table asumes there is NO AV output, if there is Video output, refer to the onscreen error code or message on display. The led error codes should only apear without any video output or you dashboard like XBMC is fooling you. When using modchips, check LPC pin connections, fix/remove solderblobs and check D0 and alike wires. try without modchip to see if the onboard TSOP does something. taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === 2 reboots then GREEN/RED Flashing === FRAG, dead {{citation needed|reason=mine is dead, some other xboxes are dead, but are they dead? cant be fixed and reason unkown? Mine had a leaking clockcap}}. NO AV, if AV turns on with a code, its NOT a frag. The 1.0 - 1.5 xbox revisions will leave the power on and "frags". The 1.6 and 1.6b xboxes will turn the power off.[https://assemblergames.com/threads/xbox-flashing-red-and-green.64852/page-2 source] === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. === 3/4 GREEN 1/4 RED === DVD not properly connected or faulty dvd board {{citation needed|reason=havent tested this one myself}} === 3/4 RED 1/4 GREEN === Harddisk faulty, or not properly connected {{citation needed|reason=havent tested this one myself}} === RED/ORANGE Flashing === Bad RAM, solderjoint near RAM or other RAM related problem. Did you replace/added RAM? That might be the problem.{{citation needed|reason=havent tested this one myself, never replaced ram.}} == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Game list === To be added, still working on it. e096fbb437b514f8f93bdc006de7e4e9263b24a1 0 3675 6260 5937 2017-10-04T08:00:01Z KaosEngineer 2482 /* Notes */ Additional link to nv30specs.pdf from nVidia's web site as the first links first attachment gives 404 error. wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [https://web.archive.org/web/20070105072020/http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] ** [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf nv30specs.pdf, 13 Nov 2006, pp. 368.] a7d0c532f02991aaca98ee400ecdcbd8442c6656 6261 6260 2017-10-04T08:01:16Z KaosEngineer 2482 /* Notes */ wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [https://web.archive.org/web/20070105072020/http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] ** [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x), 13 Nov 2006, pp. 368.] 972c0dc1417e53e34b07b9b88ffabd120a3fad22 6262 6261 2017-10-04T08:02:05Z KaosEngineer 2482 /* Notes */ URL formatting fix. I hope! wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [https://web.archive.org/web/20070105072020/http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] ** [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x), 13 Nov 2006, pp. 368.] d3e2b47167e4b9e4bf8fa4b438e3fea408a5fc10 6263 6262 2017-10-04T08:10:39Z KaosEngineer 2482 /* Notes */ wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [https://web.archive.org/web/20070105072020/http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] ** [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf *NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)*, pp. 368, nVidia Corporation, 13 Nov 2006.] 4da04d249f40ab84ba41892e8ec082f884883e18 6264 6263 2017-10-04T08:13:35Z KaosEngineer 2482 /* Notes */ wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [https://web.archive.org/web/20070105072020/http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] ** [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf "NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)", pp. 368, nVidia Corporation, 13 Nov 2006.] afb5e382760aa3f792b47ee110420614173f2424 6265 6264 2017-10-04T08:17:42Z KaosEngineer 2482 /* Notes */ Still not working. Trying to get the title of the PDF file printed in italics so added " wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] ** [https://web.archive.org/web/20070105072020/http://www.cs.virginia.edu/~gfx/Courses/2002/RealTime.fall.02/Cg/nv30specs.pdf Backup of nv30specs: List of implemented GL extensions for NV10-NV30] ** [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x), pp. 368, nVidia Corporation, 13 Nov 2006.] 35fa2f8132d46f8e8521917c2884741bcded440b 6266 6265 2017-10-04T14:54:21Z JayFoxRox 2 Removed duplicate link wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web-beta.archive.org/web/20030207073141/http://developer.nvidia.com:80/view.asp?IO=nv30_emulation NV30 information and emulator] * [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf List of implemented GL extensions for NV10-NV30: "NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)", 13 Nov. 2006] 541d7443a6719f57a156da2f8df888ed485e6e52 0 3898 6267 2017-10-16T11:27:37Z JayFoxRox 2 Created page with "Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff560788(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx,..." wikitext text/x-wiki Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff560788(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx, [esp+12] rep insb mov edi, eax ret 12 </pre> 67630552c492f50ba2b6b2f870c5b5be6d8f17de 0 3899 6268 2017-10-16T11:28:34Z JayFoxRox 2 Created page with "Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff560794(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx,..." wikitext text/x-wiki Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff560794(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx, [esp+12] rep insw mov edi, eax ret 12 </pre> ba130441d3738ea202b12372f6b17044b13cea5d 0 3900 6269 2017-10-16T11:29:09Z JayFoxRox 2 Created page with "Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff560791(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx,..." wikitext text/x-wiki Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff560791(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx, [esp+12] rep insd mov edi, eax ret 12 </pre> b529b569d63defcad4df06e33064c9faf4d409d2 0 3901 6270 2017-10-16T11:29:59Z JayFoxRox 2 Created page with "Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff566383(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx,..." wikitext text/x-wiki Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff566383(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx, [esp+12] rep outsb mov edi, eax ret 12 </pre> dfc70ebce0e2fa41ebf3daba3cf591188cd6d53a 0 3902 6271 2017-10-16T11:30:20Z JayFoxRox 2 Created page with "Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff566385(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx,..." wikitext text/x-wiki Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff566385(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx, [esp+12] rep outsw mov edi, eax ret 12 </pre> d9174e6cddc22c70b07cc5a7f6081070bab2fac8 0 3903 6272 2017-10-16T11:30:57Z JayFoxRox 2 Created page with "Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff566384(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx,..." wikitext text/x-wiki Also see https://msdn.microsoft.com/en-us/library/windows/hardware/ff566384(v=vs.85).aspx == Disassembly == <pre> mov eax, edi mov edx, [esp+4] mov edi, [esp+8] mov ecx, [esp+12] rep outsd mov edi, eax ret 12 </pre> 582384a97e25c76d236c72105d6e89a519c43e99 0 3703 6273 5874 2017-10-24T12:10:46Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Windows | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 0979fd3d84b1d8349c09883e9f35b9b0ba163e99 0 3678 6274 5922 2017-10-25T18:15:01Z Furon 2477 Add exports for profiled builds wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described [[Boot_Process#Initialization|here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !x86 Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 | |Variable: OBJECT_TYPE |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 | |Variable: OBJECT_TYPE |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 | |Variable: OBJECT_TYPE |- |[[Kernel/ExTimerObjectType]] |31 | |Variable: OBJECT_TYPE |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 | |Variable: ULONG |- |[[Kernel/HalDiskModelNumber]] |41 | |Variable: STRING |- |[[Kernel/HalDiskSerialNumber]] |42 | |Variable: STRING |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 | |Variable: OBJECT_TYPE |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFileObjectType]] |71 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 | |Variable: BOOLEAN |- |[[Kernel/KdDebuggerNotPresent]] |89 | |Variable: BOOLEAN |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 | |Variable: MMGLOBALDATA |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 | |Variable: ULONG |- |[[Kernel/KeTimeIncrement]] |157 | |Variable: ULONG |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 | |Variable: ULONG_PTR[5] |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 | |Variable: PLAUNCH_DATA_PAGE |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 | |Variable: OBJECT_TYPE |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 | |Variable: OBJECT_HANDLE_TABLE |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 | |Variable: OBJECT_TYPE |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 | |Variable: OBJECT_TYPE |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxHardwareInfo]] |322 | |Variable: XBOX_HARDWARE_INFO |- |[[Kernel/XboxHDKey]] |323 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxKrnlVersion]] |324 | |Variable: XBOX_KRNL_VERSION |- |[[Kernel/XboxSignatureKey]] |325 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XeImageFileName]] |326 | |Variable: OBJECT_STRING |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxAlternateSignatureKeys]] |354 | |Variable: XBOX_KEY_DATA[XBEIMAGE_ALTERNATE_TITLE_ID_COUNT] |- |[[Kernel/XePublicKeyData]] |355 | |Variable: UCHAR[XC_PUBLIC_KEYDATA_SIZE] |- |[[Kernel/HalBootSMCVideoMode]] |356 | |Variable: ULONG |- |[[Kernel/IdexChannelObject]] |357 | |Variable: IDE_CHANNEL_OBJECT |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- |[[Kernel/XProfpControl]] |370 | |Profiled builds only |- |[[Kernel/XProfpGetData]] |371 | |Profiled builds only |- |[[Kernel/IrtClientInitFast]] |372 | |Profiled builds only |- |[[Kernel/IrtSweep]] |373 | |Profiled builds only |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 1d001b09ab2ad9363d6728d5fb29c882d5ca8580 6275 6274 2017-10-25T18:19:39Z Furon 2477 Profiled -> Profiling wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described [[Boot_Process#Initialization|here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !x86 Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 | |Variable: OBJECT_TYPE |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 | |Variable: OBJECT_TYPE |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 | |Variable: OBJECT_TYPE |- |[[Kernel/ExTimerObjectType]] |31 | |Variable: OBJECT_TYPE |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 | |Variable: ULONG |- |[[Kernel/HalDiskModelNumber]] |41 | |Variable: STRING |- |[[Kernel/HalDiskSerialNumber]] |42 | |Variable: STRING |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 | |Variable: OBJECT_TYPE |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFileObjectType]] |71 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 | |Variable: BOOLEAN |- |[[Kernel/KdDebuggerNotPresent]] |89 | |Variable: BOOLEAN |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 | |Variable: MMGLOBALDATA |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 | |Variable: ULONG |- |[[Kernel/KeTimeIncrement]] |157 | |Variable: ULONG |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 | |Variable: ULONG_PTR[5] |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 | |Variable: PLAUNCH_DATA_PAGE |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 | |Variable: OBJECT_TYPE |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 | |Variable: OBJECT_HANDLE_TABLE |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 | |Variable: OBJECT_TYPE |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 | |Variable: OBJECT_TYPE |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxHardwareInfo]] |322 | |Variable: XBOX_HARDWARE_INFO |- |[[Kernel/XboxHDKey]] |323 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxKrnlVersion]] |324 | |Variable: XBOX_KRNL_VERSION |- |[[Kernel/XboxSignatureKey]] |325 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XeImageFileName]] |326 | |Variable: OBJECT_STRING |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxAlternateSignatureKeys]] |354 | |Variable: XBOX_KEY_DATA[XBEIMAGE_ALTERNATE_TITLE_ID_COUNT] |- |[[Kernel/XePublicKeyData]] |355 | |Variable: UCHAR[XC_PUBLIC_KEYDATA_SIZE] |- |[[Kernel/HalBootSMCVideoMode]] |356 | |Variable: ULONG |- |[[Kernel/IdexChannelObject]] |357 | |Variable: IDE_CHANNEL_OBJECT |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- |[[Kernel/XProfpControl]] |370 | |Profiling-enabled builds only! |- |[[Kernel/XProfpGetData]] |371 | |Profiling-enabled builds only! |- |[[Kernel/IrtClientInitFast]] |372 | |Profiling-enabled builds only! |- |[[Kernel/IrtSweep]] |373 | |Profiling-enabled builds only! |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 6db7306f656a2dd5d430a56a63172805d6aaf9a6 0 3683 6276 6105 2017-10-26T18:02:34Z Furon 2477 /* Weird stuff 3 */ wikitext text/x-wiki This article describes the boot sequence of the Xbox. A large portion of it is patended in [https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US6907522.pdf Patent "US 6,907,522 B2"] == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8F000 to 0x8F0FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Weird stuff 2 ==== This does some PCI config, use unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Enable USB ASRC ==== The USB controller's "automatic slew rate compensation" feature is enabled for MCPX revisions D01 and later. <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 5211c7f9fa56efb07c056a8da7743856fe77c5d7 6277 6276 2017-10-26T18:20:10Z Furon 2477 /* Weird stuff 2 */ wikitext text/x-wiki This article describes the boot sequence of the Xbox. A large portion of it is patended in [https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US6907522.pdf Patent "US 6,907,522 B2"] == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8F000 to 0x8F0FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00900000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Configure LDT bus ==== DWORD flow control is enabled in the MCPX. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> DWORD flow control is also enabled in the NV2A core. <pre> out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> The LDT bus is reset. <pre> out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); </pre> The rest is unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Enable USB ASRC ==== The USB controller's "automatic slew rate compensation" feature is enabled for MCPX revisions D01 and later. <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 35df8bcc04fea40dad7f635ee19fe087aed40dab 0 3672 6278 6004 2017-10-27T23:45:00Z Furon 2477 /* Unknown */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash ROM]]. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! Unknown | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === MCPX Initialization Table === From 0x00000000 - 0x0000007F The first DWORD is a pointer to a table of values that the MCPX core uses to initialize itself, but with the least-significant bit always set to 1. The second DWORD is the unmodified table pointer. On all Xbox BIOS, the MCPX initialization table is always at file offset 8, virtual address 0xFF000008. The first DWORD of the MCPX initialization table is the magic number 0x2B16D065 (called the "boot header"). The purpose of the remaining values in the table is unknown{{FIXME}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 31012249090ed682e1c328d746f3429883ff4494 6279 6278 2017-10-27T23:45:21Z Furon 2477 /* Components */ wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash ROM]]. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! MCPX Initialization Table | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === MCPX Initialization Table === From 0x00000000 - 0x0000007F The first DWORD is a pointer to a table of values that the MCPX core uses to initialize itself, but with the least-significant bit always set to 1. The second DWORD is the unmodified table pointer. On all Xbox BIOS, the MCPX initialization table is always at file offset 8, virtual address 0xFF000008. The first DWORD of the MCPX initialization table is the magic number 0x2B16D065 (called the "boot header"). The purpose of the remaining values in the table is unknown{{FIXME}}. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 7177b9ee6ad4467b95ebbe9e6f57aec1061a5645 6280 6279 2017-10-29T01:42:28Z Furon 2477 There are actually two initialization tables and the first is for the NV2A, not the MCPX. wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash ROM]]. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134 !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! NV2A Initialization Table | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! MCPX Initialization Table | 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === NV2A Initialization Table === The first DWORD is a pointer to a table of values that the NV2A northbridge uses to initialize itself, but with the least-significant bit always set to 1 (likely some sort of sanity check). The second DWORD is the unmodified table pointer. On all Xbox BIOS, the NV2A initialization table is always at file offset 8, virtual address 0xFF000008. The first DWORD of the NV2A initialization table is the magic number 0x2B16D065 (called the "boot header"). The purpose of the remaining values in the table is unknown{{FIXME}}. === MCPX Initialization Table === This is a table of values used to initialize the MCPX southbridge. It ''must'' be placed at offset 0x70 in the ROM image. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] cc959077dcba1381ff06c3133e2e977b49d83720 0 3669 6281 6193 2017-11-01T11:16:55Z Codeasm 2480 /* DVD Drive */ specific model number found wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0) * Philips (Xbox 1.2) * Samsung (Xbox 1.3) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 95e1ae2a40d716980a49d2e659502d8649d65c72 6282 6281 2017-11-01T11:35:06Z Codeasm 2480 /* DVD Drive */ Added Hitachi details and hack wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0) * Philips (Xbox 1.2) * Samsung (Xbox 1.3) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 919625c6b735e41390e038147b3a422a392603c9 0 3674 6283 6003 2017-11-09T08:52:57Z PatrickvL 2473 s/get_memory/get_memory_byte wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. On Debug Xboxs and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x04000000 |0x00000000 - 0x08000000 |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFE000000 |- |APU Registers |colspan="2"|0xFE800000 - 0xFE880000 |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC01000 |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED01000 |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED09000 |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF00400 |- |[[Flash]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> f7cf5c61a268c6c3a01d473b8d8729506bf1231b 1 3904 6284 2017-11-09T08:56:03Z PatrickvL 2473 Question about address-mapping of Page Directory Entries wikitext text/x-wiki About this part : 0xC00 0x0000F063 Maps the PDE (4 kiB page) to address 0xC0000000 Shouldn't that read : 0xC00 0xC0000063 Maps the PDE (4 kiB page) to address 0xC0000000 ? c98d4673ee163504a92c368d2f58e2209ec4a10b 0 3905 6285 2017-11-09T11:00:54Z JayFoxRox 2 Redirected page to [[XDVDFS]] wikitext text/x-wiki #REDIRECT [[XDVDFS]] 678e69ec8de3408a07b43431ae637857a3fb55c0 0 3906 6286 2017-11-09T11:11:21Z JayFoxRox 2 Created page with "XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. The first..." wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". === Filesystem === {{FIXME|reason=More info}} File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === Security blocks === {{FIXME}} === Random blocks === {{FIXME}} == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 7faacca073ecf8887178fd045bfdaeedf2c056fe 6287 6286 2017-11-11T00:49:03Z JayFoxRox 2 /* Format */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Version 4361 <!-- Game: Petit Copter --> ==== {{FIXME|reason=Info how the header looks in this version}} === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== First byte read is the first byte in the data partition. Filled with algorithm 1 (2048 bytes at a time, even buffer address). === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 65865e2a5bcb40ed63838cdc5ea3e68839846e55 6288 6287 2017-11-11T00:50:25Z JayFoxRox 2 /* Version 4361 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Version 4361 <!-- Game: Petit Copter --> ==== {{FIXME|reason=Info how the header looks in this version}} === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Seeded and then starting to emit bytes in data area. Filled with algorithm 1 (2048 bytes at a time, even buffer address). === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 7a35af63fc03ec6fd2665e977cb479a23010a141 6291 6288 2017-11-19T20:36:47Z JayFoxRox 2 /* Volume descriptor */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== * [[Azurik - Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 ** Starting bruteforce ** Found seed 0x7EA870D7 ** Completed bruteforce (Success) * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 ** Starting bruteforce ** Found seed 0x25BAB84C ** Completed bruteforce (Success) * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 ** Starting bruteforce ** Found seed 0x62BBC340 ** Completed bruteforce (Success) * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 ** Starting bruteforce ** Found seed 0xF401863E ** Completed bruteforce (Success) * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ** Starting bruteforce ** Found seed 0x1796C12A ** Completed bruteforce (Success) * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 ** Starting bruteforce ** Found seed 0xFACBB379 ** Completed bruteforce (Success) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 ** Starting bruteforce ** Completed bruteforce (Failure) === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Seeded and then starting to emit bytes in data area. Filled with algorithm 1 (2048 bytes at a time, even buffer address). === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 40b814156fe9e24647e3d6d9af27abfb85a8f831 6292 6291 2017-11-19T20:52:15Z JayFoxRox 2 /* Random blocks */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== * [[Azurik - Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 ** Starting bruteforce ** Found seed 0x7EA870D7 ** Completed bruteforce (Success) * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 ** Starting bruteforce ** Found seed 0x25BAB84C ** Completed bruteforce (Success) * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 ** Starting bruteforce ** Found seed 0x62BBC340 ** Completed bruteforce (Success) * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 ** Starting bruteforce ** Found seed 0xF401863E ** Completed bruteforce (Success) * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ** Starting bruteforce ** Found seed 0x1796C12A ** Completed bruteforce (Success) * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 ** Starting bruteforce ** Found seed 0xFACBB379 ** Completed bruteforce (Success) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 ** Starting bruteforce ** Completed bruteforce (Failure) * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 ** Starting bruteforce ** Completed bruteforce (Failure) === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4721 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] e8fe86077d5c35650dbb23094867267c80e15972 6293 6292 2017-11-19T21:02:57Z JayFoxRox 2 /* Examples */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik - Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2, but Microsoft upgraded their tool to use new random padding. * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4721 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] b146badf37f05a32305d5dcfe6d886cd570f9f0a 6294 6293 2017-11-19T21:03:36Z JayFoxRox 2 fixup, accidentally clicked save wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik - Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2, but Microsoft upgraded their tool to use new random padding. * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4721 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] d35e7ff2fabe77042e600247e0d4119fa9d014ec 6295 6294 2017-11-21T01:26:24Z JayFoxRox 2 Fix azurik link wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2, but Microsoft upgraded their tool to use new random padding. * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4721 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 9688159040e26044ee58186cfffd9d6752b1b011 2 3907 6289 2017-11-12T10:56:24Z Voxel9 2496 Created page with " == Voxel9 (also known as just "Voxel") == Voxel is the owner of the Xbox Emulation Discord server, and is a part of the Cxbx-Reloaded Compatibility List maintainers over at..." wikitext text/x-wiki == Voxel9 (also known as just "Voxel") == Voxel is the owner of the Xbox Emulation Discord server, and is a part of the Cxbx-Reloaded Compatibility List maintainers over at Github. He 100% enjoys all things Xbox, on top of PS consoles and a tiny bit of love left for Nintendo consoles... His addiction to the Original Xbox began shortly after a nostalgia trip in 2016 (he hadn't touched an OG Xbox for over 8 years then, lol) and has been following the scene ever since. ceee68c6dfc2287d742fdc2f6ae5f7be1adf2a4a 0 3700 6290 6237 2017-11-13T21:29:30Z JayFoxRox 2 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA | |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 73f014274dc72ec06bdfdcf300af0d86a8d0d5c5 1 3908 6296 2017-11-27T20:42:07Z Furon 2477 Created page with "== Alternative Super I/O Controller == If one wanted to create a new kernel debugger board, the Microchip LPC47N217 Super I/O Controller is still in production and has a conf..." wikitext text/x-wiki == Alternative Super I/O Controller == If one wanted to create a new kernel debugger board, the Microchip LPC47N217 Super I/O Controller is still in production and has a configuration interface compatible with the SMSC LPC47M157. It has fewer pins, thanks to a reduced number of logical devices, so should be easier to solder. -- [[User:Furon|Furon]] ([[User talk:Furon|talk]]) 733ab0b2149875c7aaffe1654fe5beb574b9e226 0 4 6297 6225 2017-12-02T06:10:29Z CakeLancelot 2494 Add known Torque Game Engine games wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = id Tech 4 = id Tech 4 was scaled down for Xbox{{citation needed}}. {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Doom 3]] |- | [[Doom 3: Resurrection of Evil]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Far Cry Instincts]] |- | [[Far Cry Instincts: Evolution]] |} = Torque Game Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Marble Blast Gold]] |- | [[ThinkTanks]] |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |[[New Legends]] |UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |- |[[Advent Rising]] |UE2 Build 2226 |- |[[America's Army: Rise of a Soldier]] |UT2003 Build 928 |- |[[Brothers in Arms: Earned in Blood]] |UE2 Build 2226 |- |[[Brothers in Arms: Road to Hill 30]] |UE2 Build 2226 |- |[[Combat: Task Force 121]] |UE2 Build 2110 |- |[[Dead Man's Hand]] |UE2 Build 2110 |- |[[Deus Ex: Invisible War]] |Warfare Build 777 |- |[[Land of the Dead: Road to Fiddler's Green]] |UE2 BUild 2226 |- |[[Magic the Gathering: Battlegrounds]] |Warfare Build 926 |- |[[Men of Valor]] |Warfare Build 926 |- |[[Open Season]] |Warfare Build 927 |- |[[Pariah]] |UT2003 Build 928 with some UE2.5 code |- |[[Shadow Ops: Red Mercury]] |UE2 Build 2110 |- |[[Star Wars: Republic Commando]] |UE2 Build 2226 |- |[[Thief: Deadly Shadows]] |Warfare Build 777 |- |[[Tom Clancy's Ghost Recon: Advanced Warfighter]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3: Black Arrow]] |Warfare Build 927 |- |[[Tom Clancy's Splinter Cell]] |Warfare Build 829 |- |[[Tom Clancy's Splinter Cell: Chaos Theory]] |Warfare Build 829 - Singleplayer & Co-op mode UE2 Build 2110 - Versus mode |- |[[Tom Clancy's Splinter Cell: Double Agent]] |Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- |[[Tom Clancy's Splinter Cell: Pandora Tomorrow]] |Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- |[[Unreal II: The Awakening]] |Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- |[[Unreal Championship]] |UT2003 Build 928 |- |[[Unreal Championship 2: The Liandri Conflict]] |UE2 build 2227 with some UE2.5 code<br>(UE2X) |- |[[Warpath]] |UT2003 Build 928 with some UE2.5 code |- |[[World War II Combat: Road to Berlin]] |UE2 Build 2110 |- |[[World War II Combat: Iwo Jima]] |UE2 Build 2110 |- |[[XIII]] |Warfare Build 829 |} *Contains information from <sup>[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]</sup>, <sup>[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]</sup>, <sup>[https://en.wikipedia.org/wiki/Id_Tech_3 here]</sup>, and <sup>[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]</sup>. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License 588cd781eba7b72a098fa1495a3e8b413f8d9ab1 0 3750 6298 5993 2017-12-27T22:23:20Z Furon 2477 wikitext text/x-wiki The Xbox does not use an ordinary [https://web.archive.org/web/20100617022211/http://en.wikipedia.org/wiki/RAMDAC RAMDAC] for video output. Instead, it employs a <em>video encoder</em>. Video encoder is a chip that converts a digital pixel data stream (coming from the nVidia NV2A graphics processor) into analog video signal, just like a RAMDAC would. An ordinary RAMDAC, however, can only output VGA-style RGB signal. The video encoder used in the Xbox is more flexible, and can generate several different types of signals that adhere to various video standards and color formats. These include, but are not necessarily limited to: * VGA-style &gt;31 kHz RGB, though only with Sync-on-Green sync signals. (If needed, separate HSYNC and VSYNC signals can be obtained from the motherboard, or by building a special video cable with active electronics for stripping and separating the Sync-on-Green sync signal. In any case, separate HSYNC and VSYNC are not available directly through the AV connector.) * TV-compatible 15 kHz RGB (with composite sync) &ndash; suitable for European-style SCART RGB output (are progressive 625/50 signals supported?) * Component (Y'PbPr) signal, both in SDTV and HDTV resolutions; suitable for American-style "component" output * PAL color signal with typical PAL timings (including PAL60), in both composite (CVBS) and s-video (Y/C) formats * SECAM color signal with typical SECAM timings, in both composite (CVBS) and s-video (Y/C) formats * NTSC color signal with typical NTSC timings, in both composite (CVBS) and s-video (Y/C) formats * Black and white composite video signal without a color carrier The video encoder is also capable of PALplus style Line 23 Wide Screen Signalling (WSS), and the Xbox PIC is rigged with the capability of controlling Scart pin 8 (the ''function switching pin'', which is used as an alternative method of Wide Screen Signalling) and pin 16 (the ''fast switching pin''.) The make and model of the video encoder has varied through the times &ndash; three different video encoders have been used this far. All three are very similar in their features; they support various modes and are flexible enough to be able to output a VGA compatible signal (which is not supported by the Xbox kernel.) They are, however, not register-compatible. Two of the video encoders (namely, Conexant CX25871 and Focus FS454) also have extensive scaling and filtering functionality, which allows for [https://web.archive.org/web/20100617022211/http://scanline.ca/overscan/ overscan compensation] in desktop-style "TV out" usage. (This means that the GPU can output ordinary VGA resolutions with VGA timings and the video encoder can convert them to SDTV resolutions with TV-style timings on the fly, adding borders around the image so that a projection of the VGA framebuffer image falls within the "safe area" of the video signal.) The capabilities of the Xcalibur chip, however, remain a mystery in this regard: it is not known whether it has a scaler. All video encoders are connected to (and controlled via) [[SMBus]]. === Conexant CX25871 === [https://web.archive.org/web/20100617022211/http://www.conexant.com:9000/cgi-bin/query?mss=srchprod&amp;pg=q&amp;i=IDXPRODSRCH&amp;q=cx25870 Conexant CX25871] is a close relative of the Brooktree BT868/BT869. There is also a sister model (CX25870) without the Macrovision capability. This chip was used in Xbox versions v1.0 through v1.3. If you follow the link, you will find a product brief and a complete data sheet, with register-level programming information. === Focus FS454 === [https://web.archive.org/web/20100617022211/http://www.focusinfo.com/solutions/catalog.asp?id=30 Focus FS454] was used in v1.4 (and possibly v1.5) Xboxes. There is also a sister model (FS453) without the Macrovision capability. The data sheet containing the necessary programming information is available from the manufacturer by separate request. Copies of it have also been seen floating around the net. === Xcalibur === The "Xcalibur" video encoder is a custom chip manufactured for Microsoft. It was first used in the Xbox hardware revision 1.6. The Xbox-Linux support the Xcalibur video encoders is very limited at present (see <a href="/web/20100617022211/http://www.xbox-linux.org/wiki/Xbox_v1.6_Issues" title="Xbox v1.6 Issues">Xbox v1.6 Issues</a>). The reason for this is that there is, at least currently, no official programming documentation available for this chip. It seems the only way to find out more is through reverse-engineering techniques. Xboxes that contain the Xcalibur encoder have the firmware ROM and the PIC physically integrated into another MS-specific chip, named Xyclops. 26176ee8cb7a0d55faa81015708852d924ea9e9f 0 3750 6299 6298 2017-12-27T22:51:38Z Furon 2477 Fix formatting and links wikitext text/x-wiki The '''video encoder''' is a chip that converts a digital pixel data stream (coming from the nVidia NV2A graphics processor) into analog video signal, just like a [http://en.wikipedia.org/wiki/RAMDAC RAMDAC] would. An ordinary RAMDAC, however, can only output VGA-style RGB signal. The video encoder used in the Xbox is more flexible, and can generate several different types of signals that adhere to various video standards and color formats. These include, but are not necessarily limited to: * VGA-style &gt;31 kHz RGB, though only with Sync-on-Green sync signals. (If needed, separate HSYNC and VSYNC signals can be obtained from the motherboard, or by building a special video cable with active electronics for stripping and separating the Sync-on-Green sync signal. In any case, separate HSYNC and VSYNC are not available directly through the AV connector.) * TV-compatible 15 kHz RGB (with composite sync) &ndash; suitable for European-style SCART RGB output (are progressive 625/50 signals supported?) * Component (Y'PbPr) signal, both in SDTV and HDTV resolutions; suitable for American-style "component" output * PAL color signal with typical PAL timings (including PAL60), in both composite (CVBS) and s-video (Y/C) formats * SECAM color signal with typical SECAM timings, in both composite (CVBS) and s-video (Y/C) formats * NTSC color signal with typical NTSC timings, in both composite (CVBS) and s-video (Y/C) formats * Black and white composite video signal without a color carrier The video encoder is also capable of PALplus style Line 23 Wide Screen Signalling (WSS), and the Xbox PIC is rigged with the capability of controlling Scart pin 8 (the ''function switching pin'', which is used as an alternative method of Wide Screen Signalling) and pin 16 (the ''fast switching pin''.) The make and model of the video encoder has varied through the years &ndash; three different video encoders have been used thus far. All three are very similar in their features; they support various modes and are flexible enough to be able to output a VGA compatible signal (which is not supported by the Xbox kernel). They are, however, not register-compatible. Two of the video encoders (Conexant CX25871 and Focus FS454) also have extensive scaling and filtering functionality, which allows for [http://scanline.ca/overscan/ overscan compensation] in desktop-style "TV out" usage. This means that the GPU can output ordinary VGA resolutions with VGA timings and the video encoder can convert them to SDTV resolutions with TV-style timings on the fly, adding borders around the image so that a projection of the VGA framebuffer image falls within the "safe area" of the video signal. The capabilities of the Xcalibur chip, however, remain a mystery in this regard: it is not known whether it has a scaler. All video encoders are connected to (and controlled via) the [[SMBus]]. === Conexant CX25871 === The [http://www.alldatasheet.com/datasheet-pdf/pdf/153349/CONEXANT/CX25871.html Conexant CX25871] is a close relative of the Brooktree BT868/BT869. There is also a sister model (CX25870) without the Macrovision capability. This chip was used in Xbox versions 1.0 through 1.3. === Focus FS454 === The [https://www.manualslib.com/products/Focus-Fs454-211664.html Focus FS454] was used in v1.4 (and possibly v1.5) Xboxes. There is also a sister model (FS453) without the Macrovision capability. === Xcalibur === The Xcalibur video encoder is a custom chip manufactured for Microsoft. It was first used in Xbox hardware revision 1.6. Unfortunately, there is no official programming documentation available for this chip. It seems the only way to find out more is through reverse-engineering techniques. Xboxes that contain the Xcalibur encoder have the firmware ROM and the PIC physically integrated into another custom chip, named Xyclops. eec3fa4917791dcd62e2303a522ecf4ab38f4c2f 0 3909 6300 2017-12-27T23:55:09Z Furon 2477 Created page with "{|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-..." wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SDL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's Low Pin Count Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, the LPC port has been modified in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V when the Xbox is powered on. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V as long as the Xbox is plugged in. * '''LRESET#''' (5) - LPC reset signal. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (2) - LPC clock signal. 8d9763d92ac3236b9f8a12d682394e2e30dbfa67 6301 6300 2017-12-28T00:20:10Z Furon 2477 wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (2) - 33MHz LPC clock signal; same as PCICLK. 1583c05ede9d1f7d581fdaffb755498f78b701b7 6344 6301 2017-12-30T17:25:42Z Furon 2477 wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (2) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. 404b8f255830edd82d1064f97818858be7b9a570 6345 6344 2017-12-30T17:26:02Z Furon 2477 wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (2) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. e28f1a2e60af28c379ba7d0976caec7dbc1a801b 1 3910 6302 2017-12-28T01:03:10Z Furon 2477 Created page with "== Photos == Photos of the debug port across every revision (top and bottom) would be useful to show how the PCB traces changed over time. A photo showing the location of the..." wikitext text/x-wiki == Photos == Photos of the debug port across every revision (top and bottom) would be useful to show how the PCB traces changed over time. A photo showing the location of the port in relation to other components would be nice, too. Perhaps also photos of rebuilt ports and the pads/vias that must be connected. &mdash;[[User:Furon|Furon]] ([[User talk:Furon|talk]]) 4f3208b18ffa90be4042a8aec2aab4ac7b273690 6 3911 6303 2017-12-28T22:08:11Z Furon 2477 Retrieved from xbox-linux.org under the [https://web.archive.org/web/20100617013616/http://www.gnu.org/copyleft/fdl.html GNU Free Documentation License 1.2]. wikitext text/x-wiki Retrieved from xbox-linux.org under the [https://web.archive.org/web/20100617013616/http://www.gnu.org/copyleft/fdl.html GNU Free Documentation License 1.2]. b857daaa928b979ba3edf3a221f4fcd7655a1851 0 3912 6304 2017-12-29T00:04:31Z Furon 2477 Created page with "The Xbox was manufactured in three countries throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; and Doumen, China. == Serial Number == File:Serial-sticker.jp..." wikitext text/x-wiki The Xbox was manufactured in three countries throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; and Doumen, China. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, and China is 05. So this Xbox was the 166,356<sup>th</sup> to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. 75a08cdd496069cf260ba225edda0d41bd0075a4 6338 6304 2017-12-29T03:09:13Z Furon 2477 Add photos wikitext text/x-wiki [[File:Manufacturing26.jpg|thumb|Sárvár, Hungary factory]] The Xbox was manufactured in three countries throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; and Doumen, China. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, and China is 05. So this Xbox was the 166,356<sup>th</sup> to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. <gallery> File:Manufacturing19.jpg|Plastic case molding & assembly. File:Manufacturing18.jpg|Lids File:Manufacturing9.jpg|Green jewels File:Manufacturing10.jpg|Green jewels File:Manufacturing16.jpg|Jewels are dispensed from hoppers. File:Manufacturing7.jpg|Lid shield is positioned. File:Manufacturing3.jpg|Lid is placed over shield. File:Manufacturing5.jpg|Jewel is aligned... File:Manufacturing4.jpg|...and then applied. File:Manufacturing6.jpg|The tape is left on to prevent scratches. File:Manufacturing15.jpg|Shield and drive caddies are installed in the bottom half. File:Manufacturing20.jpg|Assembled cases are placed on pallets. File:Manufacturing11.jpg File:Manufacturing12.jpg File:Manufacturing13.jpg File:Manufacturing14.jpg|Cases ready for their electronics. File:Manufacturing25.jpg|Components arrive in bulk at the assembly line. File:Manufacturing26.jpg File:Manufacturing24.jpg|Technicians assemble components. File:Manufacturing23.jpg File:Manufacturing22.jpg File:Manufacturing27.jpg File:Manufacturing28.jpg File:Manufacturing21.jpg|Fully assembled consoles are placed on carts, ready for initialization. </gallery> == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <gallery> File:Manufacturing30.jpg|Consoles are initialized by setup program. File:Manufacturing33.jpg|Initialized consoles undergo final integration testing. File:Manufacturing34.jpg File:Manufacturing2.jpg </gallery> == Packing and shipping == <gallery> File:Manufacturing17.jpg|Styrofoam inserts are prepared. File:Manufacturing31.jpg|Consoles are packed into boxes. File:Manufacturing32.jpg|Boxes are sealed... File:Manufacturing29.jpg|...and loaded on pallets, ready for shipping. </gallery> == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. Production line photos are from [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ Andy Rostad's gallery]. a2f2d6dd2e1748ee9d4774059a9a3a7eda4b21db 6339 6338 2017-12-29T03:18:22Z Furon 2477 Mention Taiwan wikitext text/x-wiki [[File:Manufacturing26.jpg|thumb|Sárvár, Hungary factory]] The Xbox was manufactured in four locations throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; Doumen, China; and Taiwan{{FIXME|reason=City?}}. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, China is 05, and Taiwan is 06. So this Xbox was the 166,356<sup>th</sup> to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. <gallery> File:Manufacturing19.jpg|Plastic case molding & assembly. File:Manufacturing18.jpg|Lids File:Manufacturing9.jpg|Green jewels File:Manufacturing10.jpg|Green jewels File:Manufacturing16.jpg|Jewels are dispensed from hoppers. File:Manufacturing7.jpg|Lid shield is positioned. File:Manufacturing3.jpg|Lid is placed over shield. File:Manufacturing5.jpg|Jewel is aligned... File:Manufacturing4.jpg|...and then applied. File:Manufacturing6.jpg|The tape is left on to prevent scratches. File:Manufacturing15.jpg|Shield and drive caddies are installed in the bottom half. File:Manufacturing20.jpg|Assembled cases are placed on pallets. File:Manufacturing11.jpg File:Manufacturing12.jpg File:Manufacturing13.jpg File:Manufacturing14.jpg|Cases ready for their electronics. File:Manufacturing25.jpg|Components arrive in bulk at the assembly line. File:Manufacturing26.jpg File:Manufacturing24.jpg|Technicians assemble components. File:Manufacturing23.jpg File:Manufacturing22.jpg File:Manufacturing27.jpg File:Manufacturing28.jpg File:Manufacturing21.jpg|Fully assembled consoles are placed on carts, ready for initialization. </gallery> == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <gallery> File:Manufacturing30.jpg|Consoles are initialized by setup program. File:Manufacturing33.jpg|Initialized consoles undergo final integration testing. File:Manufacturing34.jpg File:Manufacturing2.jpg </gallery> == Packing and shipping == <gallery> File:Manufacturing17.jpg|Styrofoam inserts are prepared. File:Manufacturing31.jpg|Consoles are packed into boxes. File:Manufacturing32.jpg|Boxes are sealed... File:Manufacturing29.jpg|...and loaded on pallets, ready for shipping. </gallery> == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. Production line photos are from [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ Andy Rostad's gallery]. 7b268c39b2ae814afa3e09005058b59ef8b47f44 6341 6339 2017-12-29T03:57:41Z Furon 2477 Add video links wikitext text/x-wiki [[File:Manufacturing26.jpg|thumb|Sárvár, Hungary factory]] The Xbox was manufactured in four locations throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; Doumen, China; and Taiwan{{FIXME|reason=City?}}. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, China is 05, and Taiwan is 06. So this Xbox was the 166,356<sup>th</sup> to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. <gallery> File:Manufacturing19.jpg|Plastic case molding & assembly. File:Manufacturing18.jpg|Lids File:Manufacturing9.jpg|Green jewels File:Manufacturing10.jpg|Green jewels File:Manufacturing16.jpg|Jewels are dispensed from hoppers. File:Manufacturing7.jpg|Lid shield is positioned. File:Manufacturing3.jpg|Lid is placed over shield. File:Manufacturing5.jpg|Jewel is aligned... File:Manufacturing4.jpg|...and then applied. File:Manufacturing6.jpg|The tape is left on to prevent scratches. File:Manufacturing15.jpg|Shield and drive caddies are installed in the bottom half. File:Manufacturing20.jpg|Assembled cases are placed on pallets. File:Manufacturing11.jpg File:Manufacturing12.jpg File:Manufacturing13.jpg File:Manufacturing14.jpg|Cases ready for their electronics. File:Manufacturing25.jpg|Components arrive in bulk at the assembly line. File:Manufacturing26.jpg File:Manufacturing24.jpg|Technicians assemble components. File:Manufacturing23.jpg File:Manufacturing22.jpg File:Manufacturing27.jpg File:Manufacturing28.jpg File:Manufacturing21.jpg|Fully assembled consoles are placed on carts, ready for initialization. </gallery> == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <gallery> File:Manufacturing30.jpg|Consoles are initialized by setup program. File:Manufacturing33.jpg|Initialized consoles undergo final integration testing. File:Manufacturing34.jpg File:Manufacturing2.jpg </gallery> == Packing and shipping == <gallery> File:Manufacturing17.jpg|Styrofoam inserts are prepared. File:Manufacturing31.jpg|Consoles are packed into boxes. File:Manufacturing32.jpg|Boxes are sealed... File:Manufacturing29.jpg|...and loaded on pallets, ready for shipping. </gallery> == External Links == * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Factory Tour Video (Sárvár, Hungary; 2002)] - Demonstrates almost the entire assembly process from start to finish (not including case manufacturing). * [https://www.youtube.com/watch?v=_iR0eNuyUKI Flextronics Advertisement] - Contains still photos of the PCB manufacturing and testing processes. == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. Production line photos are from [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ Andy Rostad's gallery]. c6cca4ba3d4d19d4c01138a600d3e5aac7d08c92 6342 6341 2017-12-29T18:57:17Z Furon 2477 wikitext text/x-wiki [[File:Manufacturing26.jpg|thumb|Sárvár, Hungary factory]] The Xbox was manufactured by Flextronics in four locations throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; Doumen, China; and Taiwan{{FIXME|reason=City?}}. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, China is 05, and Taiwan is 06. So this Xbox was the 166,356<sup>th</sup> to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. <gallery> File:Manufacturing19.jpg|Plastic case molding & assembly. File:Manufacturing18.jpg|Lids File:Manufacturing9.jpg|Green jewels File:Manufacturing10.jpg|Green jewels File:Manufacturing16.jpg|Jewels are dispensed from hoppers. File:Manufacturing7.jpg|Lid shield is positioned. File:Manufacturing3.jpg|Lid is placed over shield. File:Manufacturing5.jpg|Jewel is aligned... File:Manufacturing4.jpg|...and then applied. File:Manufacturing6.jpg|The tape is left on to prevent scratches. File:Manufacturing15.jpg|Shield and drive caddies are installed in the bottom half. File:Manufacturing20.jpg|Assembled cases are placed on pallets. File:Manufacturing11.jpg File:Manufacturing12.jpg File:Manufacturing13.jpg File:Manufacturing14.jpg|Cases ready for their electronics. File:Manufacturing25.jpg|Components arrive in bulk at the assembly line. File:Manufacturing26.jpg File:Manufacturing24.jpg|Technicians assemble components. File:Manufacturing23.jpg File:Manufacturing22.jpg File:Manufacturing27.jpg File:Manufacturing28.jpg File:Manufacturing21.jpg|Fully assembled consoles are placed on carts, ready for initialization. </gallery> == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <gallery> File:Manufacturing30.jpg|Consoles are initialized by setup program. File:Manufacturing33.jpg|Initialized consoles undergo final integration testing. File:Manufacturing34.jpg File:Manufacturing2.jpg </gallery> == Packing and shipping == <gallery> File:Manufacturing17.jpg|Styrofoam inserts are prepared. File:Manufacturing31.jpg|Consoles are packed into boxes. File:Manufacturing32.jpg|Boxes are sealed... File:Manufacturing29.jpg|...and loaded on pallets, ready for shipping. </gallery> == Videos == * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Factory Tour Video (Sárvár, Hungary; 2002)] - Demonstrates almost the entire assembly process from start to finish (not including case manufacturing). * [https://www.youtube.com/watch?v=_iR0eNuyUKI Flextronics Advertisement] - Contains still photos of the PCB manufacturing and testing processes. == Further Reading == * [https://web.archive.org/web/20100617013616/http://www.ifm.eng.cam.ac.uk/ctm/idm/cases/xbox.html Case study - Microsoft Xbox], Innovation and Design Management, University of Cambridge * O'Brien, J. [https://web.archive.org/web/20100617013616/http://www.wired.com/wired/archive/9.11/flex_pr.html The making of the Xbox], Wired, Issue 9.11, November 2001 * Shah, J. and Serant, C. [https://web.archive.org/web/20100617013616/http://www.ebnonline.com/story/OEG20020311S0076 Microsoft's Xbox sets supply chain standard], EBN Online, 11 March 2002 * Olavsrud, T. [https://web.archive.org/web/20100617013616/http://www.internetnews.com/bus-news/article.php/1129171 Flextronics relocates Xbox manufacturing facility], Internetnews.com, 15 May 2002 * Penz, B. [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-06/articles/16-06_27.asp Game Over? Xbox production heads east], Business Hungary, Vol 16 No 6, June 2002 * Carbone, J. [https://web.archive.org/web/20100617013616/http://manufacturing.net/pur/article/CA237778?stt=001&pubdate=08%2F15%2F02 Outsourcing the Xbox], Purchasing Magazine Online, 15 August 2002 * Neilley, R. [https://web.archive.org/web/20100617013616/http://www.immnet.com/articles?article=1763 Molding is big man on this campus], PlasticsToday, 1 December 2001 == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. Production line photos are from [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ Andy Rostad's gallery]. 7adbdca8973708f84fa3445cc70298d0fd52080e 6343 6342 2017-12-29T20:26:24Z Furon 2477 Mention the label bar code wikitext text/x-wiki [[File:Manufacturing26.jpg|thumb|Sárvár, Hungary factory]] The Xbox was manufactured by Flextronics in four locations throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; Doumen, China; and Taiwan{{FIXME|reason=City?}}. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, China is 05, and Taiwan is 06. So this Xbox was the 166,356<sup>th</sup> to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. The bar code is the 12-digit serial number in standard [https://en.wikipedia.org/wiki/Code_39 Code 39] format. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. <gallery> File:Manufacturing19.jpg|Plastic case molding & assembly. File:Manufacturing18.jpg|Lids File:Manufacturing9.jpg|Green jewels File:Manufacturing10.jpg|Green jewels File:Manufacturing16.jpg|Jewels are dispensed from hoppers. File:Manufacturing7.jpg|Lid shield is positioned. File:Manufacturing3.jpg|Lid is placed over shield. File:Manufacturing5.jpg|Jewel is aligned... File:Manufacturing4.jpg|...and then applied. File:Manufacturing6.jpg|The tape is left on to prevent scratches. File:Manufacturing15.jpg|Shield and drive caddies are installed in the bottom half. File:Manufacturing20.jpg|Assembled cases are placed on pallets. File:Manufacturing11.jpg File:Manufacturing12.jpg File:Manufacturing13.jpg File:Manufacturing14.jpg|Cases ready for their electronics. File:Manufacturing25.jpg|Components arrive in bulk at the assembly line. File:Manufacturing26.jpg File:Manufacturing24.jpg|Technicians assemble components. File:Manufacturing23.jpg File:Manufacturing22.jpg File:Manufacturing27.jpg File:Manufacturing28.jpg File:Manufacturing21.jpg|Fully assembled consoles are placed on carts, ready for initialization. </gallery> == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <gallery> File:Manufacturing30.jpg|Consoles are initialized by setup program. File:Manufacturing33.jpg|Initialized consoles undergo final integration testing. File:Manufacturing34.jpg File:Manufacturing2.jpg </gallery> == Packing and shipping == <gallery> File:Manufacturing17.jpg|Styrofoam inserts are prepared. File:Manufacturing31.jpg|Consoles are packed into boxes. File:Manufacturing32.jpg|Boxes are sealed... File:Manufacturing29.jpg|...and loaded on pallets, ready for shipping. </gallery> == Videos == * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Factory Tour Video (Sárvár, Hungary; 2002)] - Demonstrates almost the entire assembly process from start to finish (not including case manufacturing). * [https://www.youtube.com/watch?v=_iR0eNuyUKI Flextronics Advertisement] - Contains still photos of the PCB manufacturing and testing processes. == Further Reading == * [https://web.archive.org/web/20100617013616/http://www.ifm.eng.cam.ac.uk/ctm/idm/cases/xbox.html Case study - Microsoft Xbox], Innovation and Design Management, University of Cambridge * O'Brien, J. [https://web.archive.org/web/20100617013616/http://www.wired.com/wired/archive/9.11/flex_pr.html The making of the Xbox], Wired, Issue 9.11, November 2001 * Shah, J. and Serant, C. [https://web.archive.org/web/20100617013616/http://www.ebnonline.com/story/OEG20020311S0076 Microsoft's Xbox sets supply chain standard], EBN Online, 11 March 2002 * Olavsrud, T. [https://web.archive.org/web/20100617013616/http://www.internetnews.com/bus-news/article.php/1129171 Flextronics relocates Xbox manufacturing facility], Internetnews.com, 15 May 2002 * Penz, B. [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-06/articles/16-06_27.asp Game Over? Xbox production heads east], Business Hungary, Vol 16 No 6, June 2002 * Carbone, J. [https://web.archive.org/web/20100617013616/http://manufacturing.net/pur/article/CA237778?stt=001&pubdate=08%2F15%2F02 Outsourcing the Xbox], Purchasing Magazine Online, 15 August 2002 * Neilley, R. [https://web.archive.org/web/20100617013616/http://www.immnet.com/articles?article=1763 Molding is big man on this campus], PlasticsToday, 1 December 2001 == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. Production line photos are from [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ Andy Rostad's gallery]. c0c9d4fba782cd0e5b961fbad53dc1af6dc473ba 6 3913 6305 2017-12-29T01:54:37Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3914 6306 2017-12-29T02:04:17Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3915 6307 2017-12-29T02:04:38Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3916 6308 2017-12-29T02:04:59Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3917 6309 2017-12-29T02:05:23Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3918 6310 2017-12-29T02:05:35Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3919 6311 2017-12-29T02:05:55Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3920 6312 2017-12-29T02:06:13Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3921 6313 2017-12-29T02:06:25Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3922 6314 2017-12-29T02:06:40Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3923 6315 2017-12-29T02:06:59Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3924 6316 2017-12-29T02:07:14Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3925 6317 2017-12-29T02:07:27Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3926 6318 2017-12-29T02:07:40Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3927 6319 2017-12-29T02:08:03Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3928 6320 2017-12-29T02:08:15Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3929 6321 2017-12-29T02:08:32Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3930 6322 2017-12-29T02:08:46Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3931 6323 2017-12-29T02:09:08Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3932 6324 2017-12-29T02:09:22Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3933 6325 2017-12-29T02:09:38Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3934 6326 2017-12-29T02:09:54Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3935 6327 2017-12-29T02:10:14Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3936 6328 2017-12-29T02:12:38Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3937 6329 2017-12-29T02:12:51Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3938 6330 2017-12-29T02:13:07Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3939 6331 2017-12-29T02:13:20Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3940 6332 2017-12-29T02:13:39Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3941 6333 2017-12-29T02:13:53Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3942 6334 2017-12-29T02:14:09Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3943 6335 2017-12-29T02:14:20Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3944 6336 2017-12-29T02:14:40Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 6 3945 6337 2017-12-29T02:14:53Z Furon 2477 From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] wikitext text/x-wiki From [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ andy.saturn9.ws] be6d6c5f23e379b8e5a7bbae3592e3ea3ad8865c 0 1 6340 6252 2017-12-29T03:19:04Z Furon 2477 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] 806e4febbed0e30158506aefd0b6a823730b1909 0 3820 6346 5950 2017-12-30T20:56:35Z Furon 2477 wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |U1 p24 |J9 pin 3 |LFrame |- |U1 p29 |J9 pin 1 |LClk |- |U1 p30 |J9 pin 16 |(unkown function) |- |U1 P84 |U3 ??? |RX |- |U1 P85 |U3 ??? |TX |} === J9 LPC header=== Not finished {| class="wikitable" !| Pin ! to pin ! Note |- |J9 pin 1 |U1 p29 | |- |J9 pin 2 |GND | |- |J9 pin 3 |U1 p24 |LFrame |- |J9 pin 4 |NC |no pin |- |J9 pin 5 | |RST |- |J9 pin 6 |C12(e),C13(S),C15(S),U3 p11. |5V |- |J9 pin 7 | |LAD3 |- |J9 pin 8 | |LAD2 |- |J9 pin 9 |3.3V | |- |J9 pin 10 | |LAD1 |- |J9 pin 11 | |LAD0 |- |J9 pin 12 |GND | |- |J9 pin 13 |U1 p104 |SCL |- |J9 pin 14 |U1 p103 |SDA |- |J9 pin 15 |3.3V | |- |J9 pin 16 |U1 p30 |(unkown function) |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 6d2c2f12ebf185504357ad8a3d09bf5765a1ae91 1 3946 6347 2018-01-10T16:17:59Z Codeasm 2480 /* TSOP programmed in system or from manufactoring? */ new section wikitext text/x-wiki == TSOP programmed in system or from manufactoring? == Someone pointed me to the following letter: [http://www.ogxbox.com/archive/xboxsecurity.html 17 Mistakes Microsoft Made in the Xbox Security System] under section: Modchips its being said that ``` the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip. ``` If Michael Steil is right, our wiki page should be altered accordingly, unless this was a asumption based on the observation they made of a potencial leftover from earlier revisions of the MCPX? we should try to know if Steil got this info from an MS or factory source or someone who should know this --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:17, 10 January 2018 (PST) 18cb93ecfe907641e73f29b8a1d2517d299c60c0 6348 6347 2018-01-10T16:25:43Z Codeasm 2480 /* TSOP programmed in system or from manufactoring? */ wikitext text/x-wiki == TSOP programmed in system or from manufactoring? == Someone pointed me to the following letter: [http://www.ogxbox.com/archive/xboxsecurity.html 17 Mistakes Microsoft Made in the Xbox Security System] under section: Modchips its being said that ''the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip.'' If Michael Steil is right, our wiki page should be altered accordingly, unless this was a asumption based on the observation they made of a potencial leftover from earlier revisions of the MCPX? we should try to know if Steil got this info from an MS or factory source or someone who should know this --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:17, 10 January 2018 (PST) d01e8ba69884316f37824b4226cdf132b6c3692b 1 3946 6349 6348 2018-01-10T17:35:47Z Codeasm 2480 /* TSOP programmed in system or from manufactoring? */ wikitext text/x-wiki == TSOP programmed in system or from manufactoring? == Someone pointed me to the following letter: [http://www.ogxbox.com/archive/xboxsecurity.html 17 Mistakes Microsoft Made in the Xbox Security System] under section: Modchips its being said that ''the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip.'' If Michael Steil is right, our wiki page should be altered accordingly, unless this was a asumption based on the observation they made of a potencial leftover from earlier revisions of the MCPX? we should try to know if Steil got this info from an MS or factory source or someone who should know this --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 08:17, 10 January 2018 (PST) http://www.ogxbox.com/forums/index.php?/topic/335-tsop-flashing-at-wich-factory-and-onboard/&tab=comments#comment-1524 So certain modchips or even kernels would allow writing TSOP from modchip booted xboxes, its not a technical limitation then, just... who is right or are earlier xboxes preflashed and later ones onboard or the other way arround? --[[User:Codeasm|Codeasm]] ([[User talk:Codeasm|talk]]) 09:35, 10 January 2018 (PST) 5caf6f67bf1938692d4c8b177131efa8daab7fb3 0 3766 6350 6259 2018-01-12T19:46:30Z Furon 2477 Add info about arbitration and USB-SMBus adapters wikitext text/x-wiki Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connected through an I²C/SMbus interface. I²C/SMBus is a slow low-cost serial bus with each device having a unique 7-bit ID. (Wikipedia has informative articles about [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/I2c I²C] and [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/SMBus SMBus], you might want to check them out.) There are only two operations of an SMBus controller: write and read. Writing means that an 8 bit command code and an 8 or 16 bit operand are sent to an SMBus device. Reading means that an 8 bit command code is sent to the device and an 8 or 16 bit answer is expected. The controller for the SMBus interface in the Xbox is a PCI device with the DevID 01B4 and it is built into MPCX southbridge. It supports bus arbitration and the Xbox kernel will retry transactions if a collision occurs. This means it is safe to use a second SMBus master (a USB-SMBus adapter, for example) while the Xbox is running ''as long as the second master also supports arbitration''. Adapters based on the Silicon Labs CP2112 or Microchip MCP2221 chips will work, for example. ==SMBus Controller Port Layout== {| class="wikitable" |- ! Port !! Description |- | 0xC000 | '''Status''' * bit 0: abort * bit 1: collision * bit 2: protocol error * bit 3: busy * bit 4: cycle complete * bit 5: timeout |- | 0xC002 | '''Control''' * bit 2-0: cycle type * bit 3: start * bit 4: enable interrupt * bit 5: abort |- | 0xC004 | '''Address''' |- | 0xC006 | '''Data''' |- | 0xC008 | '''Command''' |} This is very similar (but not identical) to the AMD756/AMD766/AMD768 SMBus controllers. The [https://web.archive.org/web/20100617015507/http://www.lm-sensors.nu/ lm_sensors project] includes GPLed Linux kernel code for it since version 2.6.4 (kernel/busses/i2c-amd756.c). ==SMBus Controller Programming== The following two routines illustrate how to read and write data from and to an SMBus device: <pre> int SMBusWriteCommand(unsigned char slave, unsigned char command, int isWord, unsigned short data) { again: _outp(0xc004, (slave&lt;&lt;1)&amp;0xfe); _outp(0xc008, command); _outpw(0xc006, data); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ return 1; } </pre> <pre> int SMBusReadCommand(unsigned char slave, unsigned char command, int isWord, unsigned short *data) { again: _outp(0xc004, (slave&lt;&lt;1)|0x01); _outp(0xc008, command); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ *data = _inpw(0xc006); return 1; } </pre> <br /> To avoid busy waiting of the CPU, the SMBus controller can also issue an interrupt when the operation is complete, by setting bit #4 in the control port when initiating the transfer. ==Xbox SMBus Devices== The following four devices are connected to the Xbox SMBus: {| class="wikitable" |- | '''Device''' | '''Hardware Address''' | '''Software Address''' |- | PIC16LC | 0x10 | 0x20 |- | Conexant CX25871 Video Encoder | 0x45 | 0x8a |- | ADM1032 System Temperature Monitor | 0x4c | 0x98 |- | Serial EEPROM | 0x54 | 0xa8 |} Do not confuse the hardware with the software addresses: The software ID is the hardware ID shifted by one bit left. The code above expects the hardware ID. Actually, these addresses are not literally accurate; you find that the hardware address is 0x54 for the EEPROM: the actual address of the EEPROM on the i2c bus is 1010 (0xa), however, you will also notice that 0x54 is '''1010'''100 in binary, and it seems that this 100 is also appended onto the other devices as well (although their software address is naturally read as say '''1010'''1000 - obviously because of the left shifting, however, it could be speculated that it would be possible to communicate with devices over the SMBus that are connected via i2c, so long as you knew their base address. b061a2028c3e084da7219c61ccb02c5f59530799 6351 6350 2018-01-12T19:46:57Z Furon 2477 wikitext text/x-wiki Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connected through an I²C/SMbus interface. I²C/SMBus is a slow low-cost serial bus with each device having a unique 7-bit ID. (Wikipedia has informative articles about [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/I2c I²C] and [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/SMBus SMBus], you might want to check them out.) There are only two operations of an SMBus controller: write and read. Writing means that an 8 bit command code and an 8 or 16 bit operand are sent to an SMBus device. Reading means that an 8 bit command code is sent to the device and an 8 or 16 bit answer is expected. The controller for the SMBus interface in the Xbox is a PCI device with the DevID 01B4 and it is built into MPCX southbridge. It supports bus arbitration and the Xbox kernel will retry transactions if a collision occurs. This means it is safe to use a second SMBus master (like a USB-SMBus adapter) while the Xbox is running ''as long as the second master also supports arbitration''. Adapters based on the Silicon Labs CP2112 or Microchip MCP2221 chips will work, for example. ==SMBus Controller Port Layout== {| class="wikitable" |- ! Port !! Description |- | 0xC000 | '''Status''' * bit 0: abort * bit 1: collision * bit 2: protocol error * bit 3: busy * bit 4: cycle complete * bit 5: timeout |- | 0xC002 | '''Control''' * bit 2-0: cycle type * bit 3: start * bit 4: enable interrupt * bit 5: abort |- | 0xC004 | '''Address''' |- | 0xC006 | '''Data''' |- | 0xC008 | '''Command''' |} This is very similar (but not identical) to the AMD756/AMD766/AMD768 SMBus controllers. The [https://web.archive.org/web/20100617015507/http://www.lm-sensors.nu/ lm_sensors project] includes GPLed Linux kernel code for it since version 2.6.4 (kernel/busses/i2c-amd756.c). ==SMBus Controller Programming== The following two routines illustrate how to read and write data from and to an SMBus device: <pre> int SMBusWriteCommand(unsigned char slave, unsigned char command, int isWord, unsigned short data) { again: _outp(0xc004, (slave&lt;&lt;1)&amp;0xfe); _outp(0xc008, command); _outpw(0xc006, data); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ return 1; } </pre> <pre> int SMBusReadCommand(unsigned char slave, unsigned char command, int isWord, unsigned short *data) { again: _outp(0xc004, (slave&lt;&lt;1)|0x01); _outp(0xc008, command); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ *data = _inpw(0xc006); return 1; } </pre> <br /> To avoid busy waiting of the CPU, the SMBus controller can also issue an interrupt when the operation is complete, by setting bit #4 in the control port when initiating the transfer. ==Xbox SMBus Devices== The following four devices are connected to the Xbox SMBus: {| class="wikitable" |- | '''Device''' | '''Hardware Address''' | '''Software Address''' |- | PIC16LC | 0x10 | 0x20 |- | Conexant CX25871 Video Encoder | 0x45 | 0x8a |- | ADM1032 System Temperature Monitor | 0x4c | 0x98 |- | Serial EEPROM | 0x54 | 0xa8 |} Do not confuse the hardware with the software addresses: The software ID is the hardware ID shifted by one bit left. The code above expects the hardware ID. Actually, these addresses are not literally accurate; you find that the hardware address is 0x54 for the EEPROM: the actual address of the EEPROM on the i2c bus is 1010 (0xa), however, you will also notice that 0x54 is '''1010'''100 in binary, and it seems that this 100 is also appended onto the other devices as well (although their software address is naturally read as say '''1010'''1000 - obviously because of the left shifting, however, it could be speculated that it would be possible to communicate with devices over the SMBus that are connected via i2c, so long as you knew their base address. 81721cd7df472c08a06571fd9845f9a0e2f33ee9 0 3821 6352 5947 2018-01-14T13:58:54Z Codeasm 2480 Added Raptor card details. wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding witch files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and posibly potencial faults that could occur. The Hardware required for this where a Developement kit (with the DVD emulation board) a sort of scsi cable and a XDK-Raptor card.{{citation needed}} two versions of the PCI scsi card are known: * 940-75004 Rev.01 * unkown, have to ask. The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. For development it wasnt the fastest way to get an executable to the xbox, and for homebrew its pretty useless.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} == Resources == * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the DVD emulation board] 3f2edfc6d23a48f5089821614816589e0f1c766c 6353 6352 2018-01-15T11:20:14Z Codeasm 2480 XDK Raptor card, found out mine is atleast another version, 2 or more? wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding witch files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and posibly potencial faults that could occur. The Hardware required for this where a Developement kit (with the DVD emulation board) a sort of scsi cable and a XDK-Raptor card.{{citation needed}} two versions of the PCI scsi card are known: * 940-75004 Rev.01 * 700-75307 Rev.01 The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. For development it wasnt the fastest way to get an executable to the xbox, and for homebrew its pretty useless.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} == Resources == * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the DVD emulation board] 4cc6aaf2615a17a6e7d6db6f8e973659e9c5ec13 6354 6353 2018-01-15T11:33:59Z Codeasm 2480 found another rev. wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding witch files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and posibly potencial faults that could occur. The Hardware required for this where a Developement kit (with the DVD emulation board) a sort of scsi cable and a XDK-Raptor card.{{citation needed}} two or more versions of the PCI scsi card are known: * 940-75004 Rev.01 * 700-75307 Rev.01 * 700-75307 Rev 03 [https://assemblergames.com/threads/sealed-xbox-raptor-card-for-xdk-dvd-emu.41763/ Assemblergames](posibly same as rev1?) The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. For development it wasnt the fastest way to get an executable to the xbox, and for homebrew its pretty useless.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} == Resources == * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the DVD emulation board] 836def719e921cc79f0432405060d5f074554a37 6356 6354 2018-01-15T15:41:13Z Codeasm 2480 some number detail wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding witch files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and posibly potencial faults that could occur. The Hardware required for this where a Developement kit (with the DVD emulation board) a sort of scsi cable and a XDK-Raptor card.{{citation needed}} The complete kit, a Raptor PCI Scsi card and Hardisk was numbered: 940-75004 Rev.01 two or more versions of the PCI scsi card are known: * 700-75307 Rev.01 * 700-75307 Rev 03 [https://assemblergames.com/threads/sealed-xbox-raptor-card-for-xdk-dvd-emu.41763/ Assemblergames](posibly same as rev1?) The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. For development it wasnt the fastest way to get an executable to the xbox, and for homebrew its pretty useless.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} == Resources == * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the DVD emulation board] 3142c161d3296405138840c7870d1469393f68b5 0 3748 6355 5997 2018-01-15T11:56:57Z Codeasm 2480 /* Revisions */ chihiro smc wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. It is also the hardware which is connected to the Power and Eject buttons. The PIC is running at 20 MHz with its own ROM, RAM and I/O lines. The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. It is connected via I²C and located on address 0x10. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 * P2L{{citation needed}} * D01 (Seen in a debug kit) * D05 (seen in a earlier model chihiro) be6e8428729e54c85b6a0e14aee54168930bee48 1 3908 6357 6296 2018-01-16T01:18:45Z Furon 2477 wikitext text/x-wiki == Alternative Super I/O Controller == <del>If one wanted to create a new kernel debugger board, the Microchip LPC47N217 Super I/O Controller is still in production and has a configuration interface compatible with the SMSC LPC47M157. It has fewer pins, thanks to a reduced number of logical devices, so should be easier to solder.</del> Turns out the LPC47N217's configuration registers are not compatible, after all. Its register I/O sequence is also slightly different, so the kernel would have to be patched. -- [[User:Furon|Furon]] ([[User talk:Furon|talk]]) dc122d6f3dfb11699a9f9470472b42a6a8a08ad2 2 3729 6358 6258 2018-01-17T21:03:57Z Codeasm 2480 Xbox part number list wikitext text/x-wiki Me like Xbox. ---- == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == this table asumes there is NO AV output, if there is Video output, refer to the onscreen error code or message on display. The led error codes should only apear without any video output or you dashboard like XBMC is fooling you. When using modchips, check LPC pin connections, fix/remove solderblobs and check D0 and alike wires. try without modchip to see if the onboard TSOP does something. taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === 2 reboots then GREEN/RED Flashing === FRAG, dead {{citation needed|reason=mine is dead, some other xboxes are dead, but are they dead? cant be fixed and reason unkown? Mine had a leaking clockcap}}. NO AV, if AV turns on with a code, its NOT a frag. The 1.0 - 1.5 xbox revisions will leave the power on and "frags". The 1.6 and 1.6b xboxes will turn the power off.[https://assemblergames.com/threads/xbox-flashing-red-and-green.64852/page-2 source] === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. === 3/4 GREEN 1/4 RED === DVD not properly connected or faulty dvd board {{citation needed|reason=havent tested this one myself}} === 3/4 RED 1/4 GREEN === Harddisk faulty, or not properly connected {{citation needed|reason=havent tested this one myself}} === RED/ORANGE Flashing === Bad RAM, solderjoint near RAM or other RAM related problem. Did you replace/added RAM? That might be the problem.{{citation needed|reason=havent tested this one myself, never replaced ram.}} == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Microsoft part number list === WORK IN PROGRESS Duke ---------------------- Case serial pcb ic X numbr ---------------------------------------------------------------------- KD708184347 K23B121 REV:A X08-17160 041593501 X08-17160 045701396 X08-17160 050469092 X08-17160 S controller ---------------------- serial pcb ic X numbr ---------------------------------------------------------------------- 700182091A K86-00002 719436212A X08-69873 ca4df55ae5b951fe7272325dd7758d25fa437966 6359 6358 2018-01-20T19:20:35Z Codeasm 2480 wikitext text/x-wiki Me like Xbox. ---- http://web.archive.org/web/20151002194113/http://home.comcast.net/~admiral_powerslave/jtag.html == Some work that doesnt fit somewhere else, yet == == Xbox led error codes == this table asumes there is NO AV output, if there is Video output, refer to the onscreen error code or message on display. The led error codes should only apear without any video output or you dashboard like XBMC is fooling you. When using modchips, check LPC pin connections, fix/remove solderblobs and check D0 and alike wires. try without modchip to see if the onboard TSOP does something. taken from: [https://web.archive.org/web/20061013114130/http://xbox-scene.org/articles/leds.php] Tutorial written by : XanTium Last edited: June 14, 2004 === GREEN/RED Flashing === Probably a bad chip or bad image. === 2 reboots then GREEN/RED Flashing === FRAG, dead {{citation needed|reason=mine is dead, some other xboxes are dead, but are they dead? cant be fixed and reason unkown? Mine had a leaking clockcap}}. NO AV, if AV turns on with a code, its NOT a frag. The 1.0 - 1.5 xbox revisions will leave the power on and "frags". The 1.6 and 1.6b xboxes will turn the power off.[https://assemblergames.com/threads/xbox-flashing-red-and-green.64852/page-2 source] === SOLID GREEN/No EJECT/No AUDIO/No VIDEO === Probably a bad solder point. Check all your points again. It could also be a heat problem , make sure your fan is connected and don't put your xbox near heat sources. You can also try to open the top of the xbox and check if it goes better. === SOLID GREEN/No AUDIO/No VIDEO === This is probably a problems with your audio settings. Try to boot your xbox with a standard a/v pack instead of a HD pack. === ORANGE/GREEN Flashing === No AUDIO/VIDEO (A/V) pack. This may also be down to a solder splash on the board or a damaged track. === ORANGE Flashing === This may also be down to a solder splash on the board or a damaged track. May also be due overheating. === GREEN for half a sec then RED Flashing === Bad/Corrupted or Empty Eeprom. === SOLID RED === System overheated , hardware failure , ... === FLASHING RED === Dead, broken or empty eeprom. === 3/4 GREEN 1/4 RED === DVD not properly connected or faulty dvd board {{citation needed|reason=havent tested this one myself}} === 3/4 RED 1/4 GREEN === Harddisk faulty, or not properly connected {{citation needed|reason=havent tested this one myself}} === RED/ORANGE Flashing === Bad RAM, solderjoint near RAM or other RAM related problem. Did you replace/added RAM? That might be the problem.{{citation needed|reason=havent tested this one myself, never replaced ram.}} == patents == https://www.google.com/patents/USD451513 Duke https://www.google.ch/patents/USD452534 Top of console https://www.google.com/patents/USD452282 Top shell of console https://encrypted.google.com/patents/EP1475131B1 Keypad for OG xbox (Live) https://encrypted.google.com/patents/US8493326 Linked too === Memory cards === I own multiple memorycards and 3 diferent vendors. one of wich is ofcourse Microsoft itself. here is what I have sofar. it would be nice to have a good seperate wiki entry for this, but I rather ask first where and what. <pre> Bus 003 Device 005: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Bus 003 Device 006: ID 044f:0f0c ThrustMaster, Inc. Bus 003 Device 003: ID 040b:6520 Weltrend Semiconductor XBOX Xploder </pre> <pre> Bus 003 Device 014: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 015: ID 044f:0f0c ThrustMaster, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x044f ThrustMaster, Inc. idProduct 0x0f0c bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> <pre> Bus 003 Device 016: ID 040b:6520 Weltrend Semiconductor XBOX Xploder Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x040b Weltrend Semiconductor idProduct 0x6520 XBOX Xploder bcdDevice 2.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === Microsoft part number list === WORK IN PROGRESS Duke ---------------------- Case serial pcb ic X numbr ---------------------------------------------------------------------- KD708184347 K23B121 REV:A X08-17160 041593501 X08-17160 045701396 X08-17160 050469092 X08-17160 S controller ---------------------- serial pcb ic X numbr ---------------------------------------------------------------------- 700182091A K86-00002 719436212A X08-69873 dc21def322947a299d797eb0894726dd0d6cff50 0 3818 6360 6176 2018-01-22T08:55:21Z Codeasm 2480 /* Minebea */ Syclopse shared these details with me. wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumoured to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB * 3V3 Standby 0.075A * 3V3 4.8A * 5V 13.2A * 12V 1.2A === Foxlink Technology LTD === {{FIXME|reason=I dont own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker * 96W Max output power * 3V3 Standby 0.045A * 3V3 4.8A * 5V 13.2A * 12V 1.2A ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what apeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either recieve a thicker but very similiar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interupter). a online form would then be used to determine wich type of cable you recieve by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personaly requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and recieved a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumely this one doesnt come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, wich also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 and later === {| class="wikitable" ! Pin || Usage |- | Pin 1 || +5V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || None |- | Pin 5 || GND |- | Pin 6 || None |- | Pin 7 || +3.3V |- | Pin 8 || None |- | Pin 9 || GND |- | Pin 10 || POWOK |- | Pin 11 || +12V |- | Pin 12 || None |- | Pin 13 || +5V |- | Pin 14 || GND |- | Pin 15 || +3V Standby |- | Pin 16 || GND |- | Pin 17 || None |- | Pin 18 || +3.3V |- | Pin 19 || GND |- | Pin 20 || POWON |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] a75e8682549774389a53254ed3cf6c3b8af234a9 0 3701 6361 5565 2018-01-24T17:56:39Z JayFoxRox 2 wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPRDT section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? eax points to a zero terminated list of pointers into the kernel memory [7 elements] |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? " [4 elements] |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? Seems to be some call to that address?! |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? " [3 elements] |- | colspan="3" | Cleaner list starts here {{FIXME}} |- | 0x04 || 0x20 || |- | 0x04 || 0x20 || |- | 0x04 || 0x21 || |- | 0x04 || 0x22 || |- | 0x04 || 0x23 || |- | 0x04 || 0x24 || |- | 0x04 || 0x35 || |- | 0x04 || 0x50 || |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? Memory is 0x00 filled before. location is 0x8002b420, size would be 0x3000 |- | 0x06 || 0x02 || |- | 0x06 || 0x20 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x21 || |- | 0x06 || 0x22 || |- | 0x06 || 0x23 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x24 || |- | 0x06 || 0x25 || |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x40 || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://www.youtube.com/watch?v=Da_ont-2AG0 Modern Vintage Gamer: Revisiting Original Xbox Backward Compatibility on the Xbox 360] 39db60fb749ac541be13712a34283223561f3634 0 3820 6362 6346 2018-02-06T20:11:57Z Codeasm 2480 /* U1 SMsC LPC ic */ updates for pins 27,40, 44,45 and 60 (pins RX and TX on MAX223) wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |U1 p24 |J9 pin 3 |LFrame |- |U1 p27 |R7 |Pull up (3.3v) |- |U1 p29 |J9 pin 1 |LClk |- |U1 p30 |J9 pin 16 |(unkown function) |- |U1 p40 |GND | |- |U1 p44 |3.3v with C2 |Vcc? |- |U1 p45 |R1 (R2 unpopulated) |Pull down (R2 would be pullup 3.3v) |- |U1 p60 |GND | |- |U1 P84 |U3 P8 |RX |- |U1 P85 |U3 P6 |TX |} === J9 LPC header=== Not finished {| class="wikitable" !| Pin ! to pin ! Note |- |J9 pin 1 |U1 p29 | |- |J9 pin 2 |GND | |- |J9 pin 3 |U1 p24 |LFrame |- |J9 pin 4 |NC |no pin |- |J9 pin 5 | |RST |- |J9 pin 6 |C12(e),C13(S),C15(S),U3 p11. |5V |- |J9 pin 7 | |LAD3 |- |J9 pin 8 | |LAD2 |- |J9 pin 9 |3.3V | |- |J9 pin 10 | |LAD1 |- |J9 pin 11 | |LAD0 |- |J9 pin 12 |GND | |- |J9 pin 13 |U1 p104 |SCL |- |J9 pin 14 |U1 p103 |SDA |- |J9 pin 15 |3.3V | |- |J9 pin 16 |U1 p30 |(unkown function) |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 5fbd95de3e109ff3f47abf46091417618319ed87 6363 6362 2018-02-06T20:22:42Z Codeasm 2480 Added U2 detail, not much, only serial pins wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- | 0 | U2 | unpopulated DIP24 MCU(?) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |U1 p24 |J9 pin 3 |LFrame |- |U1 p27 |R7 |Pull up (3.3v) |- |U1 p29 |J9 pin 1 |LClk |- |U1 p30 |J9 pin 16 |(unkown function) |- |U1 p40 |GND | |- |U1 p44 |3.3v with C2 |Vcc? |- |U1 p45 |R1 (R2 unpopulated) |Pull down (R2 would be pullup 3.3v) |- |U1 p60 |GND | |- |U1 P84 |U3 P8, U2 P18 |RX |- |U1 P85 |U3 P6, U2 P17 |TX |} === J9 LPC header=== Not finished {| class="wikitable" !| Pin ! to pin ! Note |- |J9 pin 1 |U1 p29 | |- |J9 pin 2 |GND | |- |J9 pin 3 |U1 p24 |LFrame |- |J9 pin 4 |NC |no pin |- |J9 pin 5 | |RST |- |J9 pin 6 |C12(e),C13(S),C15(S),U3 p11. |5V |- |J9 pin 7 | |LAD3 |- |J9 pin 8 | |LAD2 |- |J9 pin 9 |3.3V | |- |J9 pin 10 | |LAD1 |- |J9 pin 11 | |LAD0 |- |J9 pin 12 |GND | |- |J9 pin 13 |U1 p104 |SCL |- |J9 pin 14 |U1 p103 |SDA |- |J9 pin 15 |3.3V | |- |J9 pin 16 |U1 p30 |(unkown function) |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 48776d81b2c5f1d80eace09d0ebad9f82b6e4485 6364 6363 2018-02-13T06:22:45Z Ernegien 2491 /* J9 LPC header */ wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- | 0 | U2 | unpopulated DIP24 MCU(?) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |U1 p24 |J9 pin 3 |LFrame |- |U1 p27 |R7 |Pull up (3.3v) |- |U1 p29 |J9 pin 1 |LClk |- |U1 p30 |J9 pin 16 |(unkown function) |- |U1 p40 |GND | |- |U1 p44 |3.3v with C2 |Vcc? |- |U1 p45 |R1 (R2 unpopulated) |Pull down (R2 would be pullup 3.3v) |- |U1 p60 |GND | |- |U1 P84 |U3 P8, U2 P18 |RX |- |U1 P85 |U3 P6, U2 P17 |TX |} === J9 LPC header=== NOTE: version 1.3+ motherboards are missing the LFRAME signal which will need to be generated by an external CPLD [https://www.reddit.com/r/originalxbox/comments/7uo3lq/got_an_xbox_for_free_dvd_tray_wont_stop_ejecting/dtmqmn3/] NOTE: version 1.5 motherboards are missing pins 2 (GND) and 9 (VCC3), and pins 12 (GND) and 15 (VCC3) haven't been confirmed to work correctly{{citation needed}} {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | LCLK | Output | PCI clock | U1 29 | |- | 2 | VSS | Power | System ground | (see other parts) | |- | 3 | LFRAME# | Output | Frame signal | U1 24 | Indicates start of a new cycle and termination of broken cycle. |- | 4 | --- | --- | --- | --- | Voided to ensure correct ribbon cable alignment. |- | 5 | LRST# | Output | PCI reset | U1 26 | Used as LPC interface reset. |- | 6 | VCC5 | Power | 5V power supply | (see other parts) | C12(e), C13(S), C15(S), U3 Pin 11 |- | 7 | LAD3 | I/O | LPC address/data bus | U1 23 | Multiplexed command, address and data bus. |- | 8 | LAD2 | I/O | LPC address/data bus | U1 22 | Multiplexed command, address and data bus. |- | 9 | VCC3 | Power | 3.3V power supply | (see other parts) | |- | 10 | LAD1 | I/O | LPC address/data bus | U1 21 | Multiplexed command, address and data bus. |- | 11 | LAD0 | I/O | LPC address/data bus | U1 20 | Multiplexed command, address and data bus. |- | 12 | VSS | Power | System ground | (see other parts) | |- | 13 | SCL | I/O | SMBus clock signal | U1 104 | |- | 14 | SDA | I/O | SMBus data signal | U1 103 | |- | 15 | VCC3 | Power | 3.3V power supply | (see other parts) | Intended to be used for external IO board |- | 16 | L_SER_IRQ | Input | Serial interrupt requests | U1 30 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 32ee15b8efe3828bb74d11a4cb2119393136f9e4 6365 6364 2018-02-13T06:25:07Z Ernegien 2491 /* J9 LPC header */ wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- | 0 | U2 | unpopulated DIP24 MCU(?) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |U1 p24 |J9 pin 3 |LFrame |- |U1 p27 |R7 |Pull up (3.3v) |- |U1 p29 |J9 pin 1 |LClk |- |U1 p30 |J9 pin 16 |(unkown function) |- |U1 p40 |GND | |- |U1 p44 |3.3v with C2 |Vcc? |- |U1 p45 |R1 (R2 unpopulated) |Pull down (R2 would be pullup 3.3v) |- |U1 p60 |GND | |- |U1 P84 |U3 P8, U2 P18 |RX |- |U1 P85 |U3 P6, U2 P17 |TX |} === J9 LPC header=== NOTE: version 1.3+ motherboards are missing the LFRAME signal which will need to be generated by an external CPLD [https://www.reddit.com/r/originalxbox/comments/7uo3lq/got_an_xbox_for_free_dvd_tray_wont_stop_ejecting/dtmqmn3/] NOTE: version 1.5 motherboards are missing pins 2 (GND) and 9 (VCC3), and pins 12 (GND) and 15 (VCC3) haven't been confirmed to work correctly{{citation needed}} {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | LCLK | Output | PCI clock | U1 29 | |- | 2 | VSS | Power | System ground | (see other parts) | |- | 3 | LFRAME# | Output | Frame signal | U1 24 | Indicates start of a new cycle and termination of broken cycle. |- | 4 | --- | --- | --- | --- | Voided to ensure correct ribbon cable alignment. |- | 5 | LRST# | Output | PCI reset | U1 26 | Used as LPC interface reset. |- | 6 | VCC5 | Power | 5V power supply | (see other parts) | C12(e), C13(S), C15(S), U3 11 |- | 7 | LAD3 | I/O | LPC address/data bus | U1 23 | Multiplexed command, address and data bus. |- | 8 | LAD2 | I/O | LPC address/data bus | U1 22 | Multiplexed command, address and data bus. |- | 9 | VCC3 | Power | 3.3V power supply | (see other parts) | |- | 10 | LAD1 | I/O | LPC address/data bus | U1 21 | Multiplexed command, address and data bus. |- | 11 | LAD0 | I/O | LPC address/data bus | U1 20 | Multiplexed command, address and data bus. |- | 12 | VSS | Power | System ground | (see other parts) | |- | 13 | SCL | I/O | SMBus clock signal | U1 104 | |- | 14 | SDA | I/O | SMBus data signal | U1 103 | |- | 15 | VCC3 | Power | 3.3V power supply | (see other parts) | Intended to be used for external IO board |- | 16 | L_SER_IRQ | Input | Serial interrupt requests | U1 30 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [http://imgur.com/a/vJi9E Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 91a19f564b672deb4d5dbb3b48a06a8663b55324 6366 6365 2018-02-13T06:30:40Z Ernegien 2491 /* Related links */ wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- | 0 | U2 | unpopulated DIP24 MCU(?) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === {| class="wikitable" !| Pin ! to pin ! Note |- |U1 pin 18 |C17(up) and ? |(not finished) |- |U1 pin 6,7 |C17(down) and GND |Both U1 pins yes) |- |U1 p24 |J9 pin 3 |LFrame |- |U1 p27 |R7 |Pull up (3.3v) |- |U1 p29 |J9 pin 1 |LClk |- |U1 p30 |J9 pin 16 |(unkown function) |- |U1 p40 |GND | |- |U1 p44 |3.3v with C2 |Vcc? |- |U1 p45 |R1 (R2 unpopulated) |Pull down (R2 would be pullup 3.3v) |- |U1 p60 |GND | |- |U1 P84 |U3 P8, U2 P18 |RX |- |U1 P85 |U3 P6, U2 P17 |TX |} === J9 LPC header=== NOTE: version 1.3+ motherboards are missing the LFRAME signal which will need to be generated by an external CPLD [https://www.reddit.com/r/originalxbox/comments/7uo3lq/got_an_xbox_for_free_dvd_tray_wont_stop_ejecting/dtmqmn3/] NOTE: version 1.5 motherboards are missing pins 2 (GND) and 9 (VCC3), and pins 12 (GND) and 15 (VCC3) haven't been confirmed to work correctly{{citation needed}} {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | LCLK | Output | PCI clock | U1 29 | |- | 2 | VSS | Power | System ground | (see other parts) | |- | 3 | LFRAME# | Output | Frame signal | U1 24 | Indicates start of a new cycle and termination of broken cycle. |- | 4 | --- | --- | --- | --- | Voided to ensure correct ribbon cable alignment. |- | 5 | LRST# | Output | PCI reset | U1 26 | Used as LPC interface reset. |- | 6 | VCC5 | Power | 5V power supply | (see other parts) | C12(e), C13(S), C15(S), U3 11 |- | 7 | LAD3 | I/O | LPC address/data bus | U1 23 | Multiplexed command, address and data bus. |- | 8 | LAD2 | I/O | LPC address/data bus | U1 22 | Multiplexed command, address and data bus. |- | 9 | VCC3 | Power | 3.3V power supply | (see other parts) | |- | 10 | LAD1 | I/O | LPC address/data bus | U1 21 | Multiplexed command, address and data bus. |- | 11 | LAD0 | I/O | LPC address/data bus | U1 20 | Multiplexed command, address and data bus. |- | 12 | VSS | Power | System ground | (see other parts) | |- | 13 | SCL | I/O | SMBus clock signal | U1 104 | |- | 14 | SDA | I/O | SMBus data signal | U1 103 | |- | 15 | VCC3 | Power | 3.3V power supply | (see other parts) | Intended to be used for external IO board |- | 16 | L_SER_IRQ | Input | Serial interrupt requests | U1 30 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [https://imgur.com/a/ROMYa Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 96cde1200fb7161b8e66030220acaacda39cec58 6367 6366 2018-02-13T07:26:50Z Ernegien 2491 /* U1 SMsC LPC ic */ wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- | 0 | U2 | unpopulated DIP24 MCU(?) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U1 SMsC LPC ic === Still lots to fill out here, but all connections required for kernel debugging via null-modem cable tied to TX/RX/GND have been accounted for. {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 6 | CLKI32 | Input | 32.768kHz trickle clock input | GND (C17) | Disabled via GND |- | 7 | VSS | Power | Ground | GND (C17) | |- | 18 | VTR | Power | 3.3V standby voltage | C17 bypass to 3.3V | Connected to VCC because no wakeup functionality is required |- | 19 | CLOCKI | Input | 14.318MHz clock input | Y2 3 | |- | 20 | LAD0 | I/O | LPC address/data bus | J9 11 | Multiplexed command, address and data bus. |- | 21 | LAD1 | I/O | LPC address/data bus | J9 10 | Multiplexed command, address and data bus. |- | 22 | LAD2 | I/O | LPC address/data bus | J9 8 | Multiplexed command, address and data bus. |- | 23 | LAD3 | I/O | LPC address/data bus | J9 7 | Multiplexed command, address and data bus. |- | 24 | LFRAME# | Input | Frame signal | J9 3 | Indicates start of a new cycle and termination of broken cycle. |- | 26 | PCI_RESET# | Input | PCI reset | J9 5 | Used as LPC interface reset. |- | 27 | LPCPD# | Input | Power down signal | R7 (10k) pull-up to 3.3V | Indicates that it should prepare for power to be shut down on the LPC interface. Tied high relying on PCI_RESET to do its job. |- | 29 | PCI_CLK | Input | PCI clock | J9 1 | |- | 30 | SER_IRQ | Output | Serial interrupt requests | J9 16 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |- | 31 | VSS | Power | Ground | GND | |- | 32 | GP10/J1B1 | | | Trace open? | |- | 33 | GP11/J1B2 | | | Trace open? | |- | 34 | GP12/J2B1 | | | Trace open? | |- | 37 | GP15/J1Y | | | Trace open? | |- | 38 | GP16/J2X | | | Trace open? | |- | 39 | GP17/J2Y | | | Trace open? | |- | 40 | AVSS | Power | Analog ground | GND | |- | 42 | GP21/P16/nDS1 | | | Trace open? | |- | 44 | VREF | Power | 3.3V reference voltage | C2 bypass to 3.3V | 5V or 3.3V used for the game port logic |- | 45 | GP24/SYSOPT | | | R1 (10k) pull-down to GND | Set the configuration base I/O address of 0x2E (R2 would be a pullup to 3.3V with a different configuration address) |- | 47 | GP26/MIDI_OUT | | | Trace open? | |- | 49 | GP61/LED2 | | | Trace open? | |- | 51 | GP30/FAN_TACH2 | | | Trace open? | |- | 53 | VCC | Power | 3.3V supply voltage | C1 bypass to 3.3V | |- | 55 | P33/FAN1 | | | Trace open? | |- | 57 | KCLK | | | Trace open? | |- | 59 | MCLK | | | Trace open? | |- | 60 | VSS | Power | Ground | GND | |- | 61 | IRRX2/GP34 | | | Trace open? | |- | 65 | VCC | Power | 3.3V supply voltage | C9 bypass to 3.3V | |- | 76 | VSS | Power | Ground | GND (C10) | |- | 84 | RXD1 | Input | | U3 8 U2 18 | |- | 85 | TXD1 | Output | | U3 6 U2 17 | |- | 86 | nDSR1 | Input | Data set ready | U3 ? | Optional flow control |- | 87 | nRTS1 | Output | Request to send | U3 ? | Optional flow control |- | 93 | VCC | Power | | C21 bypass to 3.3V | |- | 95 | RXD2 | Input | | Trace open? | |- | 96 | TXD2 | Output | | Trace hidden under IC? | |- | 97 | nDSR2 | Input | Data set ready | Trace open? | Optional flow control |- | 98 | nRTS2 | Output | Request to send | Trace hidden under IC? | Optional flow control |- | 101 | HVSS | Power | | GND | |- | 102 | HVCC | Power | | C24 bypass to 3.3V | |- | 103 | SDA | I/O | | J9 14 | |- | 104 | SCLK | I/O | | J9 13 | |- | 105 | A0/RESET# | | | R10 (10k) pull-up to 3.3V | |- | 111 | HVCC | Power | | C32 bypass to 3.3V | |- | 112 | HVSS | Power | | GND | |- | 121 | HVCC | Power | | C33 bypass to 3.3V | |- | 122 | HVCC | Power | | C34 bypass to 3.3V | |- | 125 | HVSS | Power | | GND | |- | 126 | HVSS | Power | | GND | |- | 127 | HVSS | Power | | GND | |- | 128 | HVSS | Power | | GND | |} === J9 LPC header=== NOTE: version 1.3+ motherboards are missing the LFRAME signal which will need to be generated by an external CPLD [https://www.reddit.com/r/originalxbox/comments/7uo3lq/got_an_xbox_for_free_dvd_tray_wont_stop_ejecting/dtmqmn3/] NOTE: version 1.5 motherboards are missing pins 2 (GND) and 9 (VCC3), and pins 12 (GND) and 15 (VCC3) haven't been confirmed to work correctly{{citation needed}} {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | LCLK | Output | PCI clock | U1 29 | |- | 2 | VSS | Power | System ground | (see other parts) | |- | 3 | LFRAME# | Output | Frame signal | U1 24 | Indicates start of a new cycle and termination of broken cycle. |- | 4 | --- | --- | --- | --- | Voided to ensure correct ribbon cable alignment. |- | 5 | LRST# | Output | PCI reset | U1 26 | Used as LPC interface reset. |- | 6 | VCC5 | Power | 5V power supply | (see other parts) | C12(e), C13(S), C15(S), U3 11 |- | 7 | LAD3 | I/O | LPC address/data bus | U1 23 | Multiplexed command, address and data bus. |- | 8 | LAD2 | I/O | LPC address/data bus | U1 22 | Multiplexed command, address and data bus. |- | 9 | VCC3 | Power | 3.3V power supply | (see other parts) | |- | 10 | LAD1 | I/O | LPC address/data bus | U1 21 | Multiplexed command, address and data bus. |- | 11 | LAD0 | I/O | LPC address/data bus | U1 20 | Multiplexed command, address and data bus. |- | 12 | VSS | Power | System ground | (see other parts) | |- | 13 | SCL | I/O | SMBus clock signal | U1 104 | |- | 14 | SDA | I/O | SMBus data signal | U1 103 | |- | 15 | VCC3 | Power | 3.3V power supply | (see other parts) | Intended to be used for external IO board |- | 16 | L_SER_IRQ | Input | Serial interrupt requests | U1 30 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [https://imgur.com/a/ROMYa Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 0639fb82c7aca94f60095f06d509d7143a41cdf3 6368 6367 2018-02-13T07:43:07Z Ernegien 2491 /* Schematic */ wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} [http://codeasm.com/xbox/images/dvt4/SL734874.JPG Picture of the board]{{FIXME|reason=Contact codeasm, he said he'll search for the non-watermarked pic and put it under a good license}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- | 0 | U2 | unpopulated DIP24 MCU(?) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U3 MAX223EAI [https://datasheets.maximintegrated.com/en/ds/MAX220-MAX249.pdf] === {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | T3OUT | | | | |- | 2 | T1OUT | | | | |- | 3 | T2OUT | | | | |- | 4 | R2IN | | | | |- | 5 | R2OUT | | | | |- | 6 | T2IN | | | | |- | 7 | T1IN | | | | |- | 8 | R1OUT | | | | |- | 9 | R1IN | | | | |- | 10 | GND | | | | |- | 11 | VCC | Power | 5V supply voltage | J9 6 | |- | 12 | C1+ | | | | |- | 13 | V+ | | | | |- | 14 | C1- | | | | |- | 15 | T4OUT | | | | |- | 16 | R3IN | | | | |- | 17 | R3OUT | | | | |- | 18 | SHDN | | | | |- | 19 | EN | | | | |- | 20 | R4IN | | | | |- | 21 | R4OUT | | | | |- | 22 | T4IN | | | | |- | 23 | T3IN | | | | |- | 24 | R5OUT | | | | |- | 25 | R5IN | | | | |- | 26 | V- | | | | |- | 27 | C2- | | | | |- | 28 | C2+ | | | | |} === U1 SMsC LPC ic === Still lots to fill out here, but all connections required for kernel debugging via null-modem cable tied to TX/RX/GND have been accounted for. {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 6 | CLKI32 | Input | 32.768kHz trickle clock input | GND (C17) | Disabled via GND |- | 7 | VSS | Power | Ground | GND (C17) | |- | 18 | VTR | Power | 3.3V standby voltage | C17 bypass to 3.3V | Connected to VCC because no wakeup functionality is required |- | 19 | CLOCKI | Input | 14.318MHz clock input | Y2 3 | |- | 20 | LAD0 | I/O | LPC address/data bus | J9 11 | Multiplexed command, address and data bus. |- | 21 | LAD1 | I/O | LPC address/data bus | J9 10 | Multiplexed command, address and data bus. |- | 22 | LAD2 | I/O | LPC address/data bus | J9 8 | Multiplexed command, address and data bus. |- | 23 | LAD3 | I/O | LPC address/data bus | J9 7 | Multiplexed command, address and data bus. |- | 24 | LFRAME# | Input | Frame signal | J9 3 | Indicates start of a new cycle and termination of broken cycle. |- | 26 | PCI_RESET# | Input | PCI reset | J9 5 | Used as LPC interface reset. |- | 27 | LPCPD# | Input | Power down signal | R7 (10k) pull-up to 3.3V | Indicates that it should prepare for power to be shut down on the LPC interface. Tied high relying on PCI_RESET to do its job. |- | 29 | PCI_CLK | Input | PCI clock | J9 1 | |- | 30 | SER_IRQ | Output | Serial interrupt requests | J9 16 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |- | 31 | VSS | Power | Ground | GND | |- | 32 | GP10/J1B1 | | | Trace open? | |- | 33 | GP11/J1B2 | | | Trace open? | |- | 34 | GP12/J2B1 | | | Trace open? | |- | 37 | GP15/J1Y | | | Trace open? | |- | 38 | GP16/J2X | | | Trace open? | |- | 39 | GP17/J2Y | | | Trace open? | |- | 40 | AVSS | Power | Analog ground | GND | |- | 42 | GP21/P16/nDS1 | | | Trace open? | |- | 44 | VREF | Power | 3.3V reference voltage | C2 bypass to 3.3V | 5V or 3.3V used for the game port logic |- | 45 | GP24/SYSOPT | | | R1 (10k) pull-down to GND | Set the configuration base I/O address of 0x2E (R2 would be a pullup to 3.3V with a different configuration address) |- | 47 | GP26/MIDI_OUT | | | Trace open? | |- | 49 | GP61/LED2 | | | Trace open? | |- | 51 | GP30/FAN_TACH2 | | | Trace open? | |- | 53 | VCC | Power | 3.3V supply voltage | C1 bypass to 3.3V | |- | 55 | P33/FAN1 | | | Trace open? | |- | 57 | KCLK | | | Trace open? | |- | 59 | MCLK | | | Trace open? | |- | 60 | VSS | Power | Ground | GND | |- | 61 | IRRX2/GP34 | | | Trace open? | |- | 65 | VCC | Power | 3.3V supply voltage | C9 bypass to 3.3V | |- | 76 | VSS | Power | Ground | GND (C10) | |- | 84 | RXD1 | Input | | U3 8 U2 18 | |- | 85 | TXD1 | Output | | U3 6 U2 17 | |- | 86 | nDSR1 | Input | Data set ready | U3 ? | Optional flow control |- | 87 | nRTS1 | Output | Request to send | U3 ? | Optional flow control |- | 93 | VCC | Power | | C21 bypass to 3.3V | |- | 95 | RXD2 | Input | | Trace open? | |- | 96 | TXD2 | Output | | Trace hidden under IC? | |- | 97 | nDSR2 | Input | Data set ready | Trace open? | Optional flow control |- | 98 | nRTS2 | Output | Request to send | Trace hidden under IC? | Optional flow control |- | 101 | HVSS | Power | | GND | |- | 102 | HVCC | Power | | C24 bypass to 3.3V | |- | 103 | SDA | I/O | | J9 14 | |- | 104 | SCLK | I/O | | J9 13 | |- | 105 | A0/RESET# | | | R10 (10k) pull-up to 3.3V | |- | 111 | HVCC | Power | | C32 bypass to 3.3V | |- | 112 | HVSS | Power | | GND | |- | 121 | HVCC | Power | | C33 bypass to 3.3V | |- | 122 | HVCC | Power | | C34 bypass to 3.3V | |- | 125 | HVSS | Power | | GND | |- | 126 | HVSS | Power | | GND | |- | 127 | HVSS | Power | | GND | |- | 128 | HVSS | Power | | GND | |} === J9 LPC header=== NOTE: version 1.3+ motherboards are missing the LFRAME signal which will need to be generated by an external CPLD [https://www.reddit.com/r/originalxbox/comments/7uo3lq/got_an_xbox_for_free_dvd_tray_wont_stop_ejecting/dtmqmn3/] NOTE: version 1.5 motherboards are missing pins 2 (GND) and 9 (VCC3), and pins 12 (GND) and 15 (VCC3) haven't been confirmed to work correctly{{citation needed}} {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | LCLK | Output | PCI clock | U1 29 | |- | 2 | VSS | Power | System ground | (see other parts) | |- | 3 | LFRAME# | Output | Frame signal | U1 24 | Indicates start of a new cycle and termination of broken cycle. |- | 4 | --- | --- | --- | --- | Voided to ensure correct ribbon cable alignment. |- | 5 | LRST# | Output | PCI reset | U1 26 | Used as LPC interface reset. |- | 6 | VCC5 | Power | 5V power supply | (see other parts) | C12(e), C13(S), C15(S), U3 11 |- | 7 | LAD3 | I/O | LPC address/data bus | U1 23 | Multiplexed command, address and data bus. |- | 8 | LAD2 | I/O | LPC address/data bus | U1 22 | Multiplexed command, address and data bus. |- | 9 | VCC3 | Power | 3.3V power supply | (see other parts) | |- | 10 | LAD1 | I/O | LPC address/data bus | U1 21 | Multiplexed command, address and data bus. |- | 11 | LAD0 | I/O | LPC address/data bus | U1 20 | Multiplexed command, address and data bus. |- | 12 | VSS | Power | System ground | (see other parts) | |- | 13 | SCL | I/O | SMBus clock signal | U1 104 | |- | 14 | SDA | I/O | SMBus data signal | U1 103 | |- | 15 | VCC3 | Power | 3.3V power supply | (see other parts) | Intended to be used for external IO board |- | 16 | L_SER_IRQ | Input | Serial interrupt requests | U1 30 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [https://imgur.com/a/ROMYa Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] dd9219c4873c5d31215c3d97f0ded9228316b0df 0 3789 6369 5650 2018-02-25T12:05:55Z Codeasm 2480 Unkown if comercialy released. usb webcam wikitext text/x-wiki == Notes == * http://euc.jp/periphs/xbox-controller.en.html * [[Videochat - Xbox webcam]http://www.eurogamer.net/articles/ss_videochat_x] ef94463177785310ef5d59ba785dae236995dd07 6370 6369 2018-03-01T19:54:25Z Codeasm 2480 Added Videochat links wikitext text/x-wiki == Notes == * http://euc.jp/periphs/xbox-controller.en.html * [Videochat - Xbox webcam http://www.eurogamer.net/articles/ss_videochat_x] * [Videochat trailer on Xbox-Ism TGS 2004 https://www.youtube.com/watch?v=__6hxTzc8YY] 8f8534728e70a385a26a32d8b8ff00f3c55ec835 6371 6370 2018-03-02T12:50:02Z Codeasm 2480 Added more detail about the videochat program and its hardware. also hope the links are fixed now. wikitext text/x-wiki == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ Xbox Live Video Chat in Japan] Dvd mediaset number: X10-98754 Xbox cam: X10-71835 [https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] [http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] [https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html 66f2af47df85a02e5a2fdefb5dc969e410e1e766 6372 6371 2018-03-02T12:50:24Z Codeasm 2480 /* Videochat - Xbox Cam */ wikitext text/x-wiki == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 [https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] [http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] [https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html 1c3a9389c2ab1a0b798bccd452640a18bbb5c972 6373 6372 2018-03-02T12:51:54Z Codeasm 2480 /* Videochat - Xbox Cam */ wikitext text/x-wiki == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ The Inspiration Room - Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 === Sources === *[https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] *[http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] *[https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html 8053a14de3a0976e650dd5cf8edb5db71b2a89f9 0 3751 6374 6205 2018-03-04T04:08:51Z DaveX 2487 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 9c8cbb385807861072822a59283dcd3c3972f049 0 3742 6375 6194 2018-03-04T06:59:52Z Fisherman166 2497 Add read checksum calculation for eeprom reads. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; const uint32_t num_dwords = section_data_length >> 2; uint64_t checksum = 0; uint32_t carry_count = 0; for(uint32_t loop_count = num_dwords; loop_count > 0; loop_count--) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] add2abb03838eae15e23a345a78987cae227bc74 1 3910 6376 6302 2018-03-05T13:22:42Z PatrickvL 2473 added schematic link wikitext text/x-wiki == Photos == Photos of the debug port across every revision (top and bottom) would be useful to show how the PCB traces changed over time. A photo showing the location of the port in relation to other components would be nice, too. Perhaps also photos of rebuilt ports and the pads/vias that must be connected. &mdash;[[User:Furon|Furon]] ([[User talk:Furon|talk]]) Schematic with discussion : https://www.reddit.com/r/originalxbox/comments/81gluq/found_my_old_lpc_diagram_yesterday/ 9fd095138b9d55d3cda6a496f876ae26e35b9ecd 0 3909 6377 6345 2018-03-17T05:44:22Z KaosEngineer 2482 V1.6 5V always on when AC plugged in. Older revisions this supply voltage was turned on / off with console. wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (2) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. ebb3b14eccc9842aca39d57d55c56c8eb53ce26e 6385 6377 2018-04-11T20:06:04Z KaosEngineer 2482 LCLK (2) wrong pin changed to (1) wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. 116b4bc8a41ee069900e70df07a4c90962e33f6b 6386 6385 2018-04-11T20:08:40Z KaosEngineer 2482 pin 9 on 1.6 difference noted ( n/c to 3.3Vdc supply voltage) wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. (On 1.6 hardware, disconnected reconnect to pin 15 to restore supply voltage.) * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. d588ede5e88bd2bf60385b198ec218a20d0b766a 6387 6386 2018-04-11T20:09:29Z KaosEngineer 2482 removed parens to match other lines showing 1.6 hardware difference wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. On 1.6 hardware, disconnected reconnect to pin 15 to restore supply voltage. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. dc377fb37e82f6ab5dc521e229564f32bc277b97 0 3688 6378 5464 2018-03-24T08:45:29Z JayFoxRox 2 wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> This is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. <hr> '''Interested? Contact us!''' This wiki is the place for all remaining Xbox projects to come together. Please come chat with us in [irc://chat.freenode.net/xqemu #xqemu on Freenode IRC] ([http://webchat.freenode.net?channels=%23xqemu Webchat]), [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded on gitter.im] or the [https://discord.gg/BZTwPNb Discord server about Original Xbox emulation]. You'll also get the details for wiki account creation there. </div> </div> a5599af1f4b243822fcd40a49121f1244b9b58d1 6380 6378 2018-03-24T12:02:54Z JayFoxRox 2 Make header slightly less confusing wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> This is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. <hr> '''Want to help? Contact us!''' This wiki is the place for all remaining Xbox projects to come together. Please come chat with us in [irc://chat.freenode.net/xqemu #xqemu on Freenode IRC] ([http://webchat.freenode.net?channels=%23xqemu Webchat]), [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded on gitter.im] or the [https://discord.gg/BZTwPNb Discord server about Original Xbox emulation]. You'll also get the details for wiki account creation there. </div> </div> 6275e1626604e2ce40556b9e5bae6fb52b1d1575 6381 6380 2018-03-27T10:37:50Z JayFoxRox 2 the discord has repeatedly made poor administrative decisions in the past. removed, at least temporarily. wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> This is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. <hr> '''Want to help? Contact us!''' This wiki is the place for all remaining Xbox projects to come together. Please come chat with us in [irc://chat.freenode.net/xqemu #xqemu on Freenode IRC] ([http://webchat.freenode.net?channels=%23xqemu Webchat]) or [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded on gitter.im]. You'll also get the details for wiki account creation there. </div> </div> 04fbe371b9cc5ffcdc48605206d491f47fdc7087 6382 6381 2018-03-28T03:39:01Z Mborgerson 2478 wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> This is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. <hr> '''Want to help? Contact us!''' This wiki is the place for all remaining Xbox projects to come together. Please come chat with us in [irc://chat.freenode.net/xqemu #xqemu on Freenode IRC] ([http://webchat.freenode.net?channels=%23xqemu Webchat]), [https://discord.gg/WxJPPyz Discord], or [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded on gitter.im]. You'll also get the details for wiki account creation there. </div> </div> 92fdc513828945bef94c520560c80b837b7ccaaa 0 3703 6379 6273 2018-03-24T08:51:52Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Windows | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 88c217b1c1c096422112947986fcfc09c0dae6ef 0 3721 6383 5321 2018-03-30T17:49:51Z Ernegien 2491 wikitext text/x-wiki The following table shows the commands available in each version of the [[Xbox Debug Monitor]]. {| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | altaddr | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | authuser | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | boxid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | break | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | bye | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ |- | style="font-family: monospace; text-align: left" | capctrl | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | continue | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | crashdump | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | d3dopcode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgname | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgoptions | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugger | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugmode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dedicate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | deftitle | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | delete | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dirlist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dmversion | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivelist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdblk | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdperf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | fileeof | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | flash | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | fmtfat | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | funccall | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getd3dstate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getextcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getgamma | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem2 | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpalette | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsum | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsurf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getuserpriv | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getutildrvinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | go | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | gpucount | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | halt | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | irtsweep | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isbreak | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isdebugger | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | isstopped | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | kd | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | keyxchg | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lockmode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lop | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | magicboot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | memtrack | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mkdir | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mmglobal | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modlong | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modsections | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modules | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | nostopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notify | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notifyat | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pbsnap | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pclist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pdbinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pssnap | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | querypc | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | reboot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | rename | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | resume | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | screenshot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | sendfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | servname | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setconfig | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setsystime | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setuserpriv | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | signcontent | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stop | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | suspend | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | sysfileupd | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | systime | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threadinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threads | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | title | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | user | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | userlist | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | vssnap | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | walkmem | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | writefile | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} c8fb5469d8505bd9c02a952539968764bb38fdb6 6384 6383 2018-03-30T18:17:52Z Ernegien 2491 wikitext text/x-wiki The following table shows the commands available in each version of the [[Xbox Debug Monitor]]. {| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | altaddr | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | authuser | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | boxid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | break | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | bye | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | capcontrol | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ |- | style="font-family: monospace; text-align: left" | capctrl | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | continue | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | crashdump | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | d3dopcode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgname | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dbgoptions | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugger | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | debugmode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dedicate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | deftitle | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | delete | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dirlist | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dmversion | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivefreespace | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | drivelist | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdblk | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | dvdperf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | fileeof | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | flash | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | fmtfat | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | funccall | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getd3dstate | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getextcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getgamma | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getmem2 | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpalette | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getpid | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsum | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getsurf | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getuserpriv | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | getutildrvinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | go | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | gpucount | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | halt | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | irtsweep | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isbreak | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | isdebugger | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | isstopped | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | kd | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | keyxchg | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lockmode | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | lop | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | magicboot | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | memtrack | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mkdir | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | mmglobal | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modlong | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modsections | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | modules | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | nostopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notify | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | notifyat | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pbsnap | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pclist | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pdbinfo | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | pssnap | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | querypc | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | reboot | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | rename | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | resume | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | screenshot | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | sendfile | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | servname | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setconfig | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setcontext | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setfileattributes | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setsystime | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | setuserpriv | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | signcontent | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stop | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | stopon | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | suspend | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | sysfileupd | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | systime | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threadinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | threads | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | title | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | user | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | userlist | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | vssnap | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | walkmem | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | writefile | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xbeinfo | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- | style="font-family: monospace; text-align: left" | xtlinfo | style="background: #F2CECE" | ✗ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ | style="background: #CEF2E0" | ✓ |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} 43366ea0110b00aa36fd143716f851ba480f5f79 2 3947 6388 2018-04-21T15:01:01Z ChrisderWahre 2498 Created page with "My user page x)" wikitext text/x-wiki My user page x) 3996b201dce91ec8f9e736d7b5bffff766468b12 6389 6388 2018-04-21T18:55:30Z ChrisderWahre 2498 wikitext text/x-wiki == ChrisderWahre == Hey, i am a Java, C# and Python Developer from Germany, and i love the original XBox. 0ac8cd18aba5af95fb5a37608c30e6fb45f70176 6390 6389 2018-04-21T20:26:36Z ChrisderWahre 2498 /* ChrisderWahre */ wikitext text/x-wiki == ChrisderWahre == Hey, i am a Java, C# and Python Developer from Germany, and i love the original XBox. Contact me here: Twitter: @ChrisderWahre Twitch: ChrisderWahre Dicord: ChrisderWahre#9694 0afe44cd8c4f080915d9eaf3a1af9437450178ac 1 3744 6391 6204 2018-04-21T20:34:57Z ChrisderWahre 2498 /* Translation to german */ new section wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. 74f1e1a179671c6d2a62ddc94ade7b042c53a7b2 6392 6391 2018-04-22T12:27:01Z JayFoxRox 2 /* Translation to german */ wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) 2bc277a6234a3f862ff00ce6418a432693bd7b0b 6394 6392 2018-04-28T01:20:22Z Mborgerson 2478 wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users [MB: agree]) 86b89c347bfc6ac53003e98dc947149089e3bd0d 6395 6394 2018-04-28T01:22:14Z Mborgerson 2478 wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) aafde7cc4dda8e4cc62dcf696d6ddc36c5e317b9 2 3948 6393 2018-04-22T13:07:46Z JayFoxRox 2 Created page with "For contact details, see http://jannikvogel.de/" wikitext text/x-wiki For contact details, see http://jannikvogel.de/ 29cffee1c8e0705a204e0e726d308ae4afe0229a 0 3669 6396 6282 2018-04-28T18:04:22Z DarkGabbz 2486 Added Xbox 1.3 Hardware changes wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0) * Philips (Xbox 1.2) * Samsung (Xbox 1.3) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] a5cd37f553b1db685073d19bb947986731bc103e 6397 6396 2018-04-28T18:06:06Z DarkGabbz 2486 /* DVD Drive */ wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] b2e94acddc99c5d6b9f34feebe21e7d28097f578 6398 6397 2018-04-28T18:07:20Z DarkGabbz 2486 /* Serial Number */ wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001-10/2002 || 1.0 || Hungary |- | 11/2002-04/2003 || 1.1 || Hungary, Mexico |- | 05/2003-03/2004 || 1.2 || China |- | 04/2004 Onward || 1.6 || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 8cafa47f7e7941386611adc936f3ad04b11d34f3 0 3669 6399 6398 2018-04-28T18:15:38Z DarkGabbz 2486 /* Manufacturing Details */ wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] dbdb7524d802994332ddb8d9dae5a50493219b4b 6407 6399 2018-05-14T21:04:15Z DarkGabbz 2486 wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Switched to Focus Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] ff69c97a16db18d3fee173cf862f31475b4fb8f1 6408 6407 2018-05-14T21:05:24Z DarkGabbz 2486 wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink ** New MCPX revision 1.1 * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Switched to Focus Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] cbde451f53d08e91685fac3fd5ea3c519573752d 6409 6408 2018-05-14T21:06:07Z DarkGabbz 2486 wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Switched to Focus Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] ff69c97a16db18d3fee173cf862f31475b4fb8f1 6410 6409 2018-05-14T21:06:18Z DarkGabbz 2486 wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.2 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] a4f95ef0626915c3fb30d3eb6cec589e40696456 6422 6410 2018-05-26T22:45:27Z DarkGabbz 2486 wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G ? |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 87243df8258c751de8cf08f8ffcfb1442466124f 2 3949 6400 2018-04-28T18:52:05Z DarkGabbz 2486 Created page with "This is a page." wikitext text/x-wiki This is a page. c65a8c44ad64bd588239c546f006bcd93e10142f 6401 6400 2018-04-30T20:19:04Z DarkGabbz 2486 wikitext text/x-wiki Xbox dude from germany nothing more nothing less. 5be26bdc270b79bd1b348b9cd557ef500912eff7 0 3909 6402 6387 2018-04-30T21:36:56Z DarkGabbz 2486 wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | - || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. On 1.6 hardware, disconnected reconnect to pin 15 to restore supply voltage. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. On 1.3-1.5 hardware, disconnected. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. 61878523be7bc8a732fa05d48b68883479d19427 6420 6402 2018-05-25T16:45:13Z Furon 2477 wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | SERIRQ (v1.0) || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. On 1.6 hardware, disconnected reconnect to pin 15 to restore supply voltage. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. On 1.3-1.5 hardware, disconnected. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. 78d610c5f00d0b08081a1124828d678ee0875bcc 0 3692 6403 5919 2018-05-03T19:33:17Z Codeasm 2480 Added official Xbox wireless adapter MN-740 details wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox install disk (wich would update the dashboard if nececairy). ==== hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ==== Firmware ==== The shipped firmware does not support WPA or WPA2. An "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings requirs connecting to the LAN port using a PC (or webbrowser capable application). The runs closed source "ThreadX JADE/Green Hills Version G4.0.4.0" RTOS and the firmware holds a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf: Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx: Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] 06bbac0c3b63d11dae83a5746ba1e6595729f2ba 6404 6403 2018-05-03T19:35:13Z Codeasm 2480 /* Firmware */ Spelling and wording mistake, me grammar much? wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox install disk (wich would update the dashboard if nececairy). ==== hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ==== Firmware ==== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf: Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx: Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] 91075788a4b3a69ac054024833aab46e073d2c38 6405 6404 2018-05-03T19:39:55Z Codeasm 2480 /* References and links */ fcc entry for Xbox MN-740 Wireless Adapter wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox install disk (wich would update the dashboard if nececairy). ==== hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ==== Firmware ==== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf: Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx: Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] 80c20d1e068b076b81b5f6193b244bf0bf1bf552 6406 6405 2018-05-04T02:02:33Z JayFoxRox 2 Fix links wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox install disk (wich would update the dashboard if nececairy). ==== hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ==== Firmware ==== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] 624b2eab46e46a5150f4f5834e81d4fc36a3993a 0 1 6411 6340 2018-05-21T10:33:29Z DarkGabbz 2486 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[Network|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] e3deb4df04ec00d750ef131a3266e4015fd63a34 6412 6411 2018-05-22T21:35:13Z DarkGabbz 2486 wikitext text/x-wiki {{:Main Page/Header}} == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] 806e4febbed0e30158506aefd0b6a823730b1909 6435 6412 2018-06-21T17:35:31Z JayFoxRox 2 Remove TOC from frontpage wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] 7187001c5a5d5662f370c95aa9f07a3d45554f84 14 3950 6413 2018-05-24T19:23:35Z DarkGabbz 2486 Created blank page wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 3706 6414 5935 2018-05-24T19:27:43Z DarkGabbz 2486 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Xbox Alpha executable format== Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] a4f88c959f0370ac328c0127d5d9963cdadc114e 0 3831 6415 6222 2018-05-24T19:28:33Z DarkGabbz 2486 wikitext text/x-wiki XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] for use in the Xbox [[Dashboard]] as well as for promotional materials. The XTF versions of these fonts contain 7365 glyphs each. === Xbox.xtf === [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) The mesh data is stored as triangle list. 3 indices per triangle. {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts] [[Category:Fileformats]] 11ac458aaac8db7707af6eae7c93a7f518c5fc07 0 3951 6416 2018-05-24T19:30:31Z DarkGabbz 2486 Created page with "[[Category:Fileformats]]" wikitext text/x-wiki [[Category:Fileformats]] 2d487b4213e3a6d142917f647f6d0fc4f0c66d70 6418 6416 2018-05-24T19:32:08Z DarkGabbz 2486 wikitext text/x-wiki [[Category:Fileformats]] This is a dummy page c5db37b9920d4fd581c00f5874618c6ceb39c78f 0 3952 6417 2018-05-24T19:31:23Z DarkGabbz 2486 Created page with "[[Category:Fileformats]]" wikitext text/x-wiki [[Category:Fileformats]] 2d487b4213e3a6d142917f647f6d0fc4f0c66d70 6419 6417 2018-05-24T19:32:19Z DarkGabbz 2486 wikitext text/x-wiki [[Category:Fileformats]] This is a dummy page c5db37b9920d4fd581c00f5874618c6ceb39c78f 0 3748 6421 6355 2018-05-26T14:03:59Z DarkGabbz 2486 wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. It is also the hardware which is connected to the Power and Eject buttons. The PIC is running at 20 MHz with its own ROM, RAM and I/O lines. The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. It is connected via I²C and located on address 0x10. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 * P11 * P2L{{citation needed}} * D01 (Seen in a debug kit) * D05 (seen in a earlier model chihiro) d557f04c0c6ebf29b20235216354f6a5b4b6c85f 0 3817 6423 5910 2018-06-02T08:20:52Z ColonelPanic 2500 /* Pinout */ Fixed tables per fixme request. Added interpretation of tables. wikitext text/x-wiki Microsoft released a handful of AV packs for the Xbox. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === The following table gives the pins in the way they are arranged on the female end of the '''XBOX AVIP''' cables. The male end is reversed and on the console. {| class="wikitable" !Description |Audio Right |Audio Right GND |SPDIF Digital Audio |V-Sync (VGA Mode) |Mode GND |Mode GND |Mode GND |GND |Variable |9 GND |Variable |11 GND |- !Pin !1 !2 !3 !4 !5 !6 !7 !8 !9 !10 !11 !12 |- !Pin !13 !14 !15 !16 !17 !18 !19 !20 !21 !22 !23 !24 |- !Description |Vcc |Audio Left |Audio Left GND |H Sync (VGA Mode) |Mode Select 1 |Mode Select 2 |Mode Select 3 |(+12V) |22 GND |Variable |24 GND |Variable |} == Supported signals / AV cables == Below is a table which lists all known officially AV cables released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || SMC Constant || Region || Official Microsoft product name ! Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || - || ''Not officially available / supported'' | Unknown Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} The region only identifies which territory the cable was originally available / intended for. The kernel still might support other video-standards (NTSC / PAL / SECAM) using the same cable. {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm List of signals and pinout] bfa26f781870f2fa28f61f44032fea36483bfb2b 6424 6423 2018-06-02T12:49:05Z ColonelPanic 2500 Removed Male and Female Designations. Plus more cleanup. wikitext text/x-wiki Microsoft has released a handful of '''Audio Video Cables''' for the [[Xbox]], which they refer to internally as '''AV Packs'''. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === The following table gives the pinout in the way it is are arranged on the '''XBOX AVIP''' cables, or '''AV Packs'''. The other end is reversed and on the console. {| class="wikitable" !Description |Audio Right |Audio Right GND |SPDIF Digital Audio |V-Sync (VGA Mode) |Mode GND |Mode GND |Mode GND |GND |Variable |9 GND |Variable |11 GND |- !Pin !1 !2 !3 !4 !5 !6 !7 !8 !9 !10 !11 !12 |- !Pin !13 !14 !15 !16 !17 !18 !19 !20 !21 !22 !23 !24 |- !Description |Vcc |Audio Left |Audio Left GND |H Sync (VGA Mode) |Mode Select 1 |Mode Select 2 |Mode Select 3 |(+12V) |22 GND |Variable |24 GND |Variable |} == Supported signals / AV cables == Below is a table which lists all known officially '''AV cables''' released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! 19 || 18 || 17 || SMC Constant || Region || Official Microsoft product name ! Signal || 24 || 22 || 11 || 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || - || ''Not officially available / supported'' | Unknown Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} The region only identifies which territory the cable was originally available / intended for. The kernel still might support other video-standards (NTSC / PAL / SECAM) using the same cable. {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm GamesX List of signals and pinout] * [https://assemblergames.com/attachments/xboxavippinouttr0-png.13081/ ASSEMBLERgames XBOX AV pinout] * [http://ucon64.sourceforge.net/ucon64misc/conn.html uCON64 Connectors] e21fedd9e1f338204e1367129a3d3e85cb70ddaf 6441 6424 2018-06-21T18:52:55Z JayFoxRox 2 /* Supported signals / AV cables */ wikitext text/x-wiki Microsoft has released a handful of '''Audio Video Cables''' for the [[Xbox]], which they refer to internally as '''AV Packs'''. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === The following table gives the pinout in the way it is are arranged on the '''XBOX AVIP''' cables, or '''AV Packs'''. The other end is reversed and on the console. {| class="wikitable" !Description |Audio Right |Audio Right GND |SPDIF Digital Audio |V-Sync (VGA Mode) |Mode GND |Mode GND |Mode GND |GND |Variable |9 GND |Variable |11 GND |- !Pin !1 !2 !3 !4 !5 !6 !7 !8 !9 !10 !11 !12 |- !Pin !13 !14 !15 !16 !17 !18 !19 !20 !21 !22 !23 !24 |- !Description |Vcc |Audio Left |Audio Left GND |H Sync (VGA Mode) |Mode Select 1 |Mode Select 2 |Mode Select 3 |(+12V) |22 GND |Variable |24 GND |Variable |} == Supported signals / AV cables == Below is a table which lists all known officially '''AV cables''' released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! Pin 19 || Pin 18 || Pin 17 || SMC Constant || Region || Official Microsoft product name ! Signal || Pin 24 || Pin 22 || Pin 11 || Pin 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || - || ''Not officially available / supported'' | Unknown Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} The region only identifies which territory the cable was originally available / intended for. The kernel still might support other video-standards (NTSC / PAL / SECAM) using the same cable. {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm GamesX List of signals and pinout] * [https://assemblergames.com/attachments/xboxavippinouttr0-png.13081/ ASSEMBLERgames XBOX AV pinout] * [http://ucon64.sourceforge.net/ucon64misc/conn.html uCON64 Connectors] 9e0d0646a8dc93c05c85d3a6313cec54e3d350a0 14 3719 6425 5293 2018-06-02T22:26:06Z ColonelPanic 2500 Added some external resources wikitext text/x-wiki This page only contains games that the XboxDevWiki currently has entries for.<br/>You may also be interested in the following resources. *[https://en.wikipedia.org/wiki/List_of_Xbox_games Wikipedia's List of XBOX Games] *[https://en.wikipedia.org/wiki/List_of_Xbox_games_with_alternate_display_modes Wikipedia's List of XBOX Games With Alternate Display Modes] *[https://en.wikipedia.org/wiki/List_of_Xbox_network_games Wikipedia's List of XBOX Network Games] c1ce0dbe1431681926cd8161bb00e8657baa6c30 6426 6425 2018-06-02T22:30:47Z ColonelPanic 2500 One More for Chihiro wikitext text/x-wiki This page only contains games that the XboxDevWiki currently has entries for.<br/>You may also be interested in the following resources. *[https://en.wikipedia.org/wiki/List_of_Xbox_games Wikipedia's List of XBOX Games] *[https://en.wikipedia.org/wiki/List_of_Xbox_games_with_alternate_display_modes Wikipedia's List of XBOX Games With Alternate Display Modes] *[https://en.wikipedia.org/wiki/List_of_Xbox_network_games Wikipedia's List of XBOX Network Games] *[https://en.wikipedia.org/wiki/List_of_Sega_arcade_video_games#Chihiro Wikipedia's List of Sega Arcade Video Games (Chihiro)] 8a7c8fcc22f8106398ec95b7080d96005fec6582 6 3953 6427 2018-06-20T13:31:59Z Jackchentwkh 2501 SteelBattalion Controller Layout wikitext text/x-wiki SteelBattalion Controller Layout 554778044710e67e099945b07c126122cf761cc2 6432 6427 2018-06-21T16:54:28Z JayFoxRox 2 wikitext text/x-wiki Steel Battalion Controller Layout a6ee4eb2cda6dbf4bf71746fdd73ac08d8703beb 6433 6432 2018-06-21T17:00:58Z JayFoxRox 2 JayFoxRox uploaded a new version of [[File:SBC.jpg]] wikitext text/x-wiki Steel Battalion Controller Layout a6ee4eb2cda6dbf4bf71746fdd73ac08d8703beb 0 11 6428 6182 2018-06-20T13:33:33Z Jackchentwkh 2501 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == Controller Layout [[File:SBC.jpg]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03 |FIXME: WTF?! Mask might be bad? |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] d343fdffb6b4e2584cb09e06c9e609d621ccc0e6 6429 6428 2018-06-21T15:00:25Z JayFoxRox 2 Switched to thumbnail for controller layout, improved FIXME for potentially bad mask wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === ==== Controller to Xbox ==== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ==== Xbox to Controller ==== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 326ec4d7ee2b9fdbb9927ad3804bdc84f722230a 1 3954 6430 2018-06-21T15:05:12Z JayFoxRox 2 Created page with "== Split controllers into seperate articles == This article is getting pretty long. It probably makes sense to have a seperate article for each (potentially grouping or redir..." wikitext text/x-wiki == Split controllers into seperate articles == This article is getting pretty long. It probably makes sense to have a seperate article for each (potentially grouping or redirecting some). This change is largely motivated by the more unique ones like the Steel Battalion Controller, where we can show images and explain more about the internals if necessary. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:05, 21 June 2018 (PDT) 2eb7b85d5cb54afb2e0408e8929c12a58b53cf4c 7 3955 6431 2018-06-21T15:10:14Z JayFoxRox 2 Minor complaints wikitext text/x-wiki == Minor complaints == Cool image, just some minor complaints which can potentially be fixed in the future: * Image not cropped / centered * Comment should say where this file originated (I assume a manual scan?) * Bottom of image is cut-off * Small vertical seam near center * Different font for "Override", why? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:10, 21 June 2018 (PDT) 64f7c566f7f78530d553fc6a8c230d1607b034b1 6434 6431 2018-06-21T17:06:20Z JayFoxRox 2 /* Minor complaints */ wikitext text/x-wiki == Minor complaints == Cool image, just some minor complaints which can potentially be fixed in the future: * <s>Image not cropped / centered</s> * <s>Comment should say where this file originated (I assume a manual scan?)</s> * <s>Bottom of image is cut-off</s> * <s>Small vertical seam near center</s> * <s>Different font for "Override", why?</s> Upgraded. The font is probably due to a bug in the original manual. I have a different version of the manual where this text says "OVER DRIVE". The font in the fixed manual where it says "OVERRIDE" is also weird. So they probably just drew over the original with whatever font they had. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 08:10, 21 June 2018 (PDT) 17fbc33f3c89835e47e139c2b0bdd8788b45466c 1 3744 6436 6395 2018-06-21T18:12:16Z JayFoxRox 2 /* MediaWiki upgrade and plugins */ new section wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) == MediaWiki upgrade and plugins == It would be nice if the MediaWiki was upgraded to 1.31 In addition, I'd like to see these extensions: * https://www.mediawiki.org/wiki/Extension:SyntaxHighlight so we finally get good code display. This wiki is getting more and more code. * https://www.mediawiki.org/wiki/Extension:Math to display formulas nicely. * https://www.mediawiki.org/wiki/Extension:ImageMap to create block diagrams, although we might need a more feature rich extension in the future. * https://www.mediawiki.org/wiki/Extension:EasyTimeline might be useful for Xbox production timeline etc. * https://www.mediawiki.org/wiki/Extension:RevisionSlider Make it easier to compare revisions. Note that some of these extensions should have been included in the mediawiki version we use. I'm not sure how our mediawiki was installed or if we might dependencies. And possibly these (not sure): * https://www.mediawiki.org/wiki/Extension:TemplateStyles to handle style changes for special pages such as the main-page, and making it easier to add good looking content / giving users more freedom. (This might be a security risk and could potentially be handled with templates instead) * https://www.mediawiki.org/wiki/Extension:TemplateData possibly to make it easier to re-use wiki content elsewhere in ecosystem. (I did not review this extension properly yet, and I'm not sure if we'd ever use it) * https://www.mediawiki.org/wiki/Extension:StructuredDiscussions to make it easy to discuss stuff. I think the poor discussion/talk pages on wikis are horrible. (This is still in beta but had no development for 3 years. It's what mediawiki uses for their own discussions though; we'd also have to convert existing discussion pages - potentially manually) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) dc0f0aab9f08c4c85e077d5b3c6ce4ac2278bfbf 6437 6436 2018-06-21T18:12:59Z JayFoxRox 2 /* MediaWiki housekeeping */ new section wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) == MediaWiki upgrade and plugins == It would be nice if the MediaWiki was upgraded to 1.31 In addition, I'd like to see these extensions: * https://www.mediawiki.org/wiki/Extension:SyntaxHighlight so we finally get good code display. This wiki is getting more and more code. * https://www.mediawiki.org/wiki/Extension:Math to display formulas nicely. * https://www.mediawiki.org/wiki/Extension:ImageMap to create block diagrams, although we might need a more feature rich extension in the future. * https://www.mediawiki.org/wiki/Extension:EasyTimeline might be useful for Xbox production timeline etc. * https://www.mediawiki.org/wiki/Extension:RevisionSlider Make it easier to compare revisions. Note that some of these extensions should have been included in the mediawiki version we use. I'm not sure how our mediawiki was installed or if we might dependencies. And possibly these (not sure): * https://www.mediawiki.org/wiki/Extension:TemplateStyles to handle style changes for special pages such as the main-page, and making it easier to add good looking content / giving users more freedom. (This might be a security risk and could potentially be handled with templates instead) * https://www.mediawiki.org/wiki/Extension:TemplateData possibly to make it easier to re-use wiki content elsewhere in ecosystem. (I did not review this extension properly yet, and I'm not sure if we'd ever use it) * https://www.mediawiki.org/wiki/Extension:StructuredDiscussions to make it easy to discuss stuff. I think the poor discussion/talk pages on wikis are horrible. (This is still in beta but had no development for 3 years. It's what mediawiki uses for their own discussions though; we'd also have to convert existing discussion pages - potentially manually) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == MediaWiki housekeeping == Our statistics have been severly broken for a long time: http://xboxdevwiki.net/Special:Statistics This might fix it, so it could be worth a shot: https://www.mediawiki.org/wiki/Manual:InitSiteStats.php --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) aa70980c6bc6e764d7d85a89c1cdfef2e2db24f8 6438 6437 2018-06-21T18:13:59Z JayFoxRox 2 /* Logo */ wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) Can someone look at this again? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:13, 21 June 2018 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) == MediaWiki upgrade and plugins == It would be nice if the MediaWiki was upgraded to 1.31 In addition, I'd like to see these extensions: * https://www.mediawiki.org/wiki/Extension:SyntaxHighlight so we finally get good code display. This wiki is getting more and more code. * https://www.mediawiki.org/wiki/Extension:Math to display formulas nicely. * https://www.mediawiki.org/wiki/Extension:ImageMap to create block diagrams, although we might need a more feature rich extension in the future. * https://www.mediawiki.org/wiki/Extension:EasyTimeline might be useful for Xbox production timeline etc. * https://www.mediawiki.org/wiki/Extension:RevisionSlider Make it easier to compare revisions. Note that some of these extensions should have been included in the mediawiki version we use. I'm not sure how our mediawiki was installed or if we might dependencies. And possibly these (not sure): * https://www.mediawiki.org/wiki/Extension:TemplateStyles to handle style changes for special pages such as the main-page, and making it easier to add good looking content / giving users more freedom. (This might be a security risk and could potentially be handled with templates instead) * https://www.mediawiki.org/wiki/Extension:TemplateData possibly to make it easier to re-use wiki content elsewhere in ecosystem. (I did not review this extension properly yet, and I'm not sure if we'd ever use it) * https://www.mediawiki.org/wiki/Extension:StructuredDiscussions to make it easy to discuss stuff. I think the poor discussion/talk pages on wikis are horrible. (This is still in beta but had no development for 3 years. It's what mediawiki uses for their own discussions though; we'd also have to convert existing discussion pages - potentially manually) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == MediaWiki housekeeping == Our statistics have been severly broken for a long time: http://xboxdevwiki.net/Special:Statistics This might fix it, so it could be worth a shot: https://www.mediawiki.org/wiki/Manual:InitSiteStats.php --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) 5fd75539edd8dad027bd8bc4f3bad595b65ca647 6440 6438 2018-06-21T18:51:09Z JayFoxRox 2 /* MediaWiki upgrade and plugins */ wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) Can someone look at this again? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:13, 21 June 2018 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) == MediaWiki upgrade and plugins == It would be nice if the MediaWiki was upgraded to 1.31 In addition, I'd like to see these extensions: * https://www.mediawiki.org/wiki/Extension:SyntaxHighlight so we finally get good code display. This wiki is getting more and more code. * https://www.mediawiki.org/wiki/Extension:Math to display formulas nicely. * https://www.mediawiki.org/wiki/Extension:ImageMap to create block diagrams, although we might need a more feature rich extension in the future. * https://www.mediawiki.org/wiki/Extension:EasyTimeline might be useful for Xbox production timeline etc. * https://www.mediawiki.org/wiki/Extension:RevisionSlider Make it easier to compare revisions. Note that some of these extensions should have been included in the mediawiki version we use. I'm not sure how our mediawiki was installed or if we might miss dependencies. And possibly these (not sure): * https://www.mediawiki.org/wiki/Extension:TemplateStyles to handle style changes for special pages such as the main-page, and making it easier to add good looking content / giving users more freedom. (This might be a security risk and could potentially be handled with templates instead) * https://www.mediawiki.org/wiki/Extension:TemplateData possibly to make it easier to re-use wiki content elsewhere in ecosystem. (I did not review this extension properly yet, and I'm not sure if we'd ever use it) * https://www.mediawiki.org/wiki/Extension:StructuredDiscussions to make it easy to discuss stuff. I think the poor discussion/talk pages on wikis are horrible. (This is still in beta but had no development for 3 years. It's what mediawiki uses for their own discussions though; we'd also have to convert existing discussion pages - potentially manually) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == MediaWiki housekeeping == Our statistics have been severly broken for a long time: http://xboxdevwiki.net/Special:Statistics This might fix it, so it could be worth a shot: https://www.mediawiki.org/wiki/Manual:InitSiteStats.php --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) e4633cc502092fef5e87f85777251ec374631f5c 0 3688 6439 6382 2018-06-21T18:47:21Z JayFoxRox 2 wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> This is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. <hr> '''Want to help? Contact us!''' This wiki is the place for all remaining Xbox projects to come together. Please come chat with us in [https://discord.gg/WxJPPyz XboxDev on Discord], [irc://chat.freenode.net/xqemu #xqemu on Freenode IRC] ([http://webchat.freenode.net?channels=%23xqemu Webchat]) or [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded on gitter.im]. You'll also get the details for wiki account creation there. </div> </div> 8413c63c97e5214985b0c408c69692e2070aa1bc 6448 6439 2018-06-26T17:39:19Z JayFoxRox 2 XboxDev hyppeeeee wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> XboxDevWiki is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. Also check out the [https://github.com/xboxdev XboxDev GitHub organization] where we provide tools and code related to Xbox research and development. <hr> '''Want to help? Contact us!''' This wiki is the place for all remaining Xbox projects to come together. Please come chat with us in [https://discord.gg/WxJPPyz XboxDev on Discord], [irc://chat.freenode.net/xqemu #xqemu on Freenode IRC] ([http://webchat.freenode.net?channels=%23xqemu Webchat]) or [https://gitter.im/Cxbx-Reloaded/Lobby Cxbx-Reloaded on gitter.im]. You'll also get the details for wiki account creation there. </div> </div> a0f8972681396c03685bb1a6eeee0f7f4dcc069b 0 3703 6442 6379 2018-06-22T23:49:51Z JayFoxRox 2 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, it is significantly slower than in XQEMU. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Windows | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] db902b26bc271859bd5c611a864263c751f1e9e9 6443 6442 2018-06-22T23:58:57Z JayFoxRox 2 Add OpenXBOX and Tortoise wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, it is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Windows | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 58eed96b1058c5a45f9b670f61a4f4bff877b0d4 6 3877 6444 6113 2018-06-23T23:54:26Z JayFoxRox 2 JayFoxRox uploaded a new version of [[File:Input-a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3878 6445 6114 2018-06-23T23:54:58Z JayFoxRox 2 JayFoxRox uploaded a new version of [[File:Input-b.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3879 6446 6115 2018-06-23T23:55:20Z JayFoxRox 2 JayFoxRox uploaded a new version of [[File:Input-x.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3880 6447 6116 2018-06-23T23:55:44Z JayFoxRox 2 JayFoxRox uploaded a new version of [[File:Input-y.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 3695 6449 5888 2018-06-26T18:23:15Z JayFoxRox 2 wikitext text/x-wiki xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes[https://github.com/espes/xqemu/commit/d823f5802e7c4c84163aea8b4d924044951c705e]. The official homepage can be found at [http://xqemu.com xqemu.com] == Compatiblity list == The following list was almost entirely created by [https://www.youtube.com/user/pcmaker2 pcmaker (also known as John Godgames)] around 2015. '''There is also a [https://docs.google.com/spreadsheets/d/1sVtQ9SNPathKAMCqfYtvJQP0bs0UeLzP9otPHvZDMwE/edit#gid=709879345 new compatibility list from 2018] (also by pcmaker)''' Meaning of the status fields: {| class="wikitable" !Status !Meaning |- |Nothing |Not showing anything due to error |- |Intro |Shows something as Intro / Menu |- |Ingame |Ingame (Graphical bugs) |- |Playable* |Partially playable or expected to be fully playable but not tested completly yet |- |Playable |Partially playable / Fully playable |} {{:XQEMU/Compatibility List}} == XQEMU-JFR == XQEMU-JFR is a now defunct fork of XQEMU by JayFoxRox. Most of the changes have since been integrated back into the official version of XQEMU. The archived version can be found at https://github.com/JayFoxRox/xqemu-jfr ba99a9424349cb7cff0c836f6f9840a9b18234a9 1 3744 6450 6440 2018-06-26T21:29:34Z JayFoxRox 2 /* E-Mails don't work */ new section wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) Can someone look at this again? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:13, 21 June 2018 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) == MediaWiki upgrade and plugins == It would be nice if the MediaWiki was upgraded to 1.31 In addition, I'd like to see these extensions: * https://www.mediawiki.org/wiki/Extension:SyntaxHighlight so we finally get good code display. This wiki is getting more and more code. * https://www.mediawiki.org/wiki/Extension:Math to display formulas nicely. * https://www.mediawiki.org/wiki/Extension:ImageMap to create block diagrams, although we might need a more feature rich extension in the future. * https://www.mediawiki.org/wiki/Extension:EasyTimeline might be useful for Xbox production timeline etc. * https://www.mediawiki.org/wiki/Extension:RevisionSlider Make it easier to compare revisions. Note that some of these extensions should have been included in the mediawiki version we use. I'm not sure how our mediawiki was installed or if we might miss dependencies. And possibly these (not sure): * https://www.mediawiki.org/wiki/Extension:TemplateStyles to handle style changes for special pages such as the main-page, and making it easier to add good looking content / giving users more freedom. (This might be a security risk and could potentially be handled with templates instead) * https://www.mediawiki.org/wiki/Extension:TemplateData possibly to make it easier to re-use wiki content elsewhere in ecosystem. (I did not review this extension properly yet, and I'm not sure if we'd ever use it) * https://www.mediawiki.org/wiki/Extension:StructuredDiscussions to make it easy to discuss stuff. I think the poor discussion/talk pages on wikis are horrible. (This is still in beta but had no development for 3 years. It's what mediawiki uses for their own discussions though; we'd also have to convert existing discussion pages - potentially manually) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == MediaWiki housekeeping == Our statistics have been severly broken for a long time: http://xboxdevwiki.net/Special:Statistics This might fix it, so it could be worth a shot: https://www.mediawiki.org/wiki/Manual:InitSiteStats.php --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == E-Mails don't work == LukeUsher reported trying to request a forgot-password, but got no emails either. Speculation was MX/SPF records. While looking for admin options on mediawiki, I noticed "Your email address is not yet confirmed. No email will be sent for any of the following features. '''Confirm your email address'''" in http://xboxdevwiki.net/Special:Preferences ; so I pressed it and all I got was: "Mailer returned: Unknown error in PHP's mail() function." So it looks like mails are broken. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:29, 26 June 2018 (PDT) 08e49f4837ed0e5a3be7422a4efcd424c3971237 6451 6450 2018-06-26T21:30:04Z JayFoxRox 2 /* E-Mails don't work */ wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) Can someone look at this again? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:13, 21 June 2018 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) == MediaWiki upgrade and plugins == It would be nice if the MediaWiki was upgraded to 1.31 In addition, I'd like to see these extensions: * https://www.mediawiki.org/wiki/Extension:SyntaxHighlight so we finally get good code display. This wiki is getting more and more code. * https://www.mediawiki.org/wiki/Extension:Math to display formulas nicely. * https://www.mediawiki.org/wiki/Extension:ImageMap to create block diagrams, although we might need a more feature rich extension in the future. * https://www.mediawiki.org/wiki/Extension:EasyTimeline might be useful for Xbox production timeline etc. * https://www.mediawiki.org/wiki/Extension:RevisionSlider Make it easier to compare revisions. Note that some of these extensions should have been included in the mediawiki version we use. I'm not sure how our mediawiki was installed or if we might miss dependencies. And possibly these (not sure): * https://www.mediawiki.org/wiki/Extension:TemplateStyles to handle style changes for special pages such as the main-page, and making it easier to add good looking content / giving users more freedom. (This might be a security risk and could potentially be handled with templates instead) * https://www.mediawiki.org/wiki/Extension:TemplateData possibly to make it easier to re-use wiki content elsewhere in ecosystem. (I did not review this extension properly yet, and I'm not sure if we'd ever use it) * https://www.mediawiki.org/wiki/Extension:StructuredDiscussions to make it easy to discuss stuff. I think the poor discussion/talk pages on wikis are horrible. (This is still in beta but had no development for 3 years. It's what mediawiki uses for their own discussions though; we'd also have to convert existing discussion pages - potentially manually) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == MediaWiki housekeeping == Our statistics have been severly broken for a long time: http://xboxdevwiki.net/Special:Statistics This might fix it, so it could be worth a shot: https://www.mediawiki.org/wiki/Manual:InitSiteStats.php --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == E-Mails don't work == LukeUsher reported trying to request a forgot-password, but got no emails either. Speculation was MX/SPF records. While looking for admin options on mediawiki, I noticed: Your email address is not yet confirmed. No email will be sent for any of the following features. '''Confirm your email address''' in http://xboxdevwiki.net/Special:Preferences ; so I pressed it and all I got was: "Mailer returned: Unknown error in PHP's mail() function." So it looks like mails are broken. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:29, 26 June 2018 (PDT) 45d7f228372eea9f4d318c0851c6c74f0239d264 6452 6451 2018-06-26T21:32:07Z JayFoxRox 2 /* Add extension to merge users */ new section wikitext text/x-wiki == Cleanup == The main page could stand to be cleaned up now that we have many pages in the wiki. Also some pictures would be nice. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Re cleanup I was going to do something like the navigation at https://www.3dbrew.org/wiki/Main_Page - but I only ever finished the box on top. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) == Logo == Also we need a wiki logo. See [https://commons.wikimedia.org/wiki/User:Evan-Amos/VOGM/Xbox here] for some great high-quality pictures. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed. [https://upload.wikimedia.org/wikipedia/commons/thumb/4/43/Xbox-console.jpg/800px-Xbox-console.jpg I vote this one (Click here)]. Maybe we can add a text to it later or replace it with one which suggests we are interested in the internals, but so far, I don't like the others --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 01:34, 26 May 2017 (PDT) Can someone look at this again? --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:13, 21 June 2018 (PDT) == Contribution Policy == I also think we should create a contribution policy page. One thought on the matter is this: Instead of linking to content elsewhere, we should try to bring as much content into the wiki as possible. This is so we don't lose valuable content as things tend to become unavailable over time (that is, dead links). It also makes for a better experience when browsing the wiki and provides a place for visitors to improve the info. [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 17:10, 25 May 2017 (PDT) Agreed: the {{input-*}} templates are being used.. differently. we use `A+B`; `A,B`; `AB`; `A B`; `A then B`; ... all of them are supposed to mean: "press B after pressing A" IMO: `A + B` is always pressing "A and B at same time"; for sequences we should always use something like `A, B + Y, X` (= press "A", then "B and Y at same time", then press "X") --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 12:24, 5 September 2017 (PDT) == Translation to german == Hey i would like to translate some pages into german, can anyone explain how i can translate them? :) Greetings. ---- : I'm not sure if there is any benefit in this. : As the articles mostly focus on technical documentation, there'd be a lot of english terms anyway (regardless of main-language). : I'd assume any reader who is able to make sense of this information already speaks english good enough. : Also, even internationally, we are a rather small community. : So introducing the small subset of germans with technical skills but without english language skills wouldn't add any new readers or writers. : We'd also run into further administration issues: : We currently don't even patrol page changes, because we don't have enough time / people to do it. : With 2 languages there's also the risk of articles going out-of-sync. : (There is also the minor issue that I don't know how mediawiki handles translations, but this is the least of our problems) : If you want to attract new people (beginners or people who still lack skills in english), I'd suggest writing posts on another medium instead. : For example, a blog post which puts stuff in layman terms (in whatever language you feel like), but might cross-reference XboxDevWiki as a source. : I think google or some other translation services have features which allow translation of websites as some kind of interactive overlay. : So it's auto-translated but you can improve the translation. : I'd prefer these methods over overcomplicating XboxDevWiki with niche features which target a very small fraction (maybe none?) of the community, but add a maintenance burden. : --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 05:27, 22 April 2018 (PDT) (This is my personal opinion, I don't speak on behalf of the other wiki admins / users) : +1 [[User:Mborgerson|Mborgerson]] ([[User talk:Mborgerson|talk]]) 18:22, 27 April 2018 (PDT) == MediaWiki upgrade and plugins == It would be nice if the MediaWiki was upgraded to 1.31 In addition, I'd like to see these extensions: * https://www.mediawiki.org/wiki/Extension:SyntaxHighlight so we finally get good code display. This wiki is getting more and more code. * https://www.mediawiki.org/wiki/Extension:Math to display formulas nicely. * https://www.mediawiki.org/wiki/Extension:ImageMap to create block diagrams, although we might need a more feature rich extension in the future. * https://www.mediawiki.org/wiki/Extension:EasyTimeline might be useful for Xbox production timeline etc. * https://www.mediawiki.org/wiki/Extension:RevisionSlider Make it easier to compare revisions. Note that some of these extensions should have been included in the mediawiki version we use. I'm not sure how our mediawiki was installed or if we might miss dependencies. And possibly these (not sure): * https://www.mediawiki.org/wiki/Extension:TemplateStyles to handle style changes for special pages such as the main-page, and making it easier to add good looking content / giving users more freedom. (This might be a security risk and could potentially be handled with templates instead) * https://www.mediawiki.org/wiki/Extension:TemplateData possibly to make it easier to re-use wiki content elsewhere in ecosystem. (I did not review this extension properly yet, and I'm not sure if we'd ever use it) * https://www.mediawiki.org/wiki/Extension:StructuredDiscussions to make it easy to discuss stuff. I think the poor discussion/talk pages on wikis are horrible. (This is still in beta but had no development for 3 years. It's what mediawiki uses for their own discussions though; we'd also have to convert existing discussion pages - potentially manually) --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == MediaWiki housekeeping == Our statistics have been severly broken for a long time: http://xboxdevwiki.net/Special:Statistics This might fix it, so it could be worth a shot: https://www.mediawiki.org/wiki/Manual:InitSiteStats.php --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 11:12, 21 June 2018 (PDT) == E-Mails don't work == LukeUsher reported trying to request a forgot-password, but got no emails either. Speculation was MX/SPF records. While looking for admin options on mediawiki, I noticed: Your email address is not yet confirmed. No email will be sent for any of the following features. '''Confirm your email address''' in http://xboxdevwiki.net/Special:Preferences ; so I pressed it and all I got was: "Mailer returned: Unknown error in PHP's mail() function." So it looks like mails are broken. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:29, 26 June 2018 (PDT) == Add extension to merge users == If someone creates a second account (password forgotten or something), we should have the option to merge their account with their old one. We need an extension for this: https://www.mediawiki.org/wiki/Extension:UserMerge --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 14:32, 26 June 2018 (PDT) b1fdeb4a8a7e3579e8345d00c4cde66beed1daba 0 13 6453 5302 2018-06-26T22:56:23Z JayFoxRox 2 Improved formatting and added shader information dumped by LukeUsher wikitext text/x-wiki {{Game}} == Shaders == These shaders have been disassembled. Any comment was added manually and does not come from the game files. === blackskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dph r3.x, v0, c0 dph r3.y, v0, c1 dph r3.z, v0, c2 dph r4.x, v0, c3 dph r4.y, v0, c4 dph r4.z, v0, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph oPos.x, r6, c21 dph oPos.y, r6, c22 dph oPos.z, r6, c23 dph oPos.w, r6, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === cloth.xvu === <pre> xvs.1.1 mov r2.w, c48.x mul r3.w, r2.w, c80.z mad r4.xyz, c80.x, v0.xyz, r3.w add r5.x, c32.z, -v1.x dph r6.x, v0, c0 +exp r1.y, r4 dph r6.y, v0, c1 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.x, r1.xyz, c36 dph r6.z, v0, c2 +exp r1.y, r4.y dph r8.x, v0, c3 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.y, r1.xyz, c36 dph r8.y, v0, c4 +exp r1.y, r4.z dph r8.z, v0, c5 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.z, r1.xyz, c36 mul r9.xyz, r6.xyz, v1.x mad r10.xyz, r8.xyz, r5.x, r9.xyz mul r11.w, v3.y, c80.y mul r0.w, r11.w, c92.w mad r2.xyz, r7.xyz, r0.w, r10.xyz mad r3.xyz, -c92.xyz, v3.z, r2.xyz dp3 r4.x, v2, c0 dp3 r4.y, v2, c1 dp3 r4.z, v2, c2 dp3 r6.x, v2, c3 dp3 r6.y, v2, c4 dp3 r6.z, v2, c5 mul r7.xyz, r4.xyz, v1.x mad r8.xyz, r6.xyz, r5.x, r7.xyz dph oPos.x, r3, c21 dph oPos.y, r3, c22 dph oPos.z, r3, c23 dph oPos.w, r3, c24 dp3 r8.w, r8.xyz, r8.xyz dph oT0.x, v9, c9 mov r9, c58 +rsq r1.w, r8.w dph oT0.y, v9, c10 mul r10.xyz, r8.xyz, r1.w dp3 r11.x, r10, -c56 dp3 r11.y, r10, -c57 dph oFog.x, r3, c24 max r0.xy, r11.xy, c32.x mad r2, r0.x, c59, r9 mad r3, r0.y, c60, r2 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mul oD0, r3, c90 mad oPos.xyz, r12, r1.x, c-37 </pre> === geom.xvu === <pre> xvs.1.1 add r0.xyz, v0.xyz, c91.xyz mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mov oT0.xy, v9 mul oT1.xy, v9, c91.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === grass.xvu === <pre> xvs.1.1 add r0.xyz, v0, c91 mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mul oT0.xy, v9, c32.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorlight.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD0.xyz, r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.w, r4, c12 dph r7.y, r4, c10 dph r7.x, r4, c9 +rcp r1.w, r5.w dph oT1.x, r4, c13 max r6.w, r1.w, -r1.w mul oT0.xy, r7.xy, r6.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorshadow.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD1.xyz, -r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.x, r4, c9 dph r5.y, r4, c10 dph oT1.x, r4, c11 mul oT0.xy, r5.xy, c33 mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dp3 r2.x, r0.xyz, c92 dph oPos.w, r10, c24 mad oD0.xyz, r2.x, c32.y, c32.y dph r3.x, r10, c6 dph r3.y, r10, c7 dph r3.z, r10, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r4.w, r3, c12 dph r6.y, r3, c10 dph r6.x, r3, c9 +rcp r1.w, r4.w dph oT1.x, r3, c13 max r5.w, r1.w, -r1.w mul oT0.xy, r6.xy, r5.w mad oPos.xyz, r12, r1.x, c-37 </pre> === skin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dph oPos.w, r10, c24 dph oFog.x, r10, c24 mov r2, c58 dp3 r3.x, r0, -c56 dp3 r3.y, r0, -c57 dph oT0.x, v9, c9 max r4.xy, r3.xy, c32.x mad r5, r4.x, c59, r2 mad r6, r4.y, c60, r5 dph oT0.y, v9, c10 mul oD0, r6, c90 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === wiggle.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 mov r3.xy, c48.x +mov oT0.xy, v9 dp3 r4.x, r2, c72 dp3 r4.y, r2, c73 mad r5.xy, r3.xy, c74.xy, r4.xy dp3 r6.x, v2, c0 mov r7.z, c32.x +exp r1.y, r5 exp r8.y, r5.y mul r1.x, r1.y, r1.y mul r8.x, r8.y, r8.y +mov oD0, c32.z mul r1.z, r1.x, r1.y mul r8.z, r8.x, r8.y dp3 r7.x, r1.xyz, c36 dp3 r7.y, r8.xyz, c36 dp3 r6.y, v2, c1 dp3 r6.z, v2, c2 dp3 r9.x, r7.xyz, c74.zw mul r10.xyz, r6, v3.x mad r11.xyz, r10, r9.x, r2 dph oPos.x, r11, c21 dph oPos.y, r11, c22 dph oPos.z, r11, c23 dph oPos.w, r11, c24 dph oFog.x, r11, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version Rendering happens in this order: # World # Skater #* Shader: cloth.xvu # HUD # Shadows ## Skater ##* Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ##* Shader: blackskin.xvu 1f35ac7bc38503247a83460ef8bb8285191e7a2b 6454 6453 2018-06-27T12:10:28Z JayFoxRox 2 Document skin.xvu a little wikitext text/x-wiki {{Game}} == Shaders == These shaders have been disassembled. Any comment was added manually and does not come from the game files. === blackskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dph r3.x, v0, c0 dph r3.y, v0, c1 dph r3.z, v0, c2 dph r4.x, v0, c3 dph r4.y, v0, c4 dph r4.z, v0, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph oPos.x, r6, c21 dph oPos.y, r6, c22 dph oPos.z, r6, c23 dph oPos.w, r6, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === cloth.xvu === <pre> xvs.1.1 mov r2.w, c48.x mul r3.w, r2.w, c80.z mad r4.xyz, c80.x, v0.xyz, r3.w add r5.x, c32.z, -v1.x dph r6.x, v0, c0 +exp r1.y, r4 dph r6.y, v0, c1 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.x, r1.xyz, c36 dph r6.z, v0, c2 +exp r1.y, r4.y dph r8.x, v0, c3 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.y, r1.xyz, c36 dph r8.y, v0, c4 +exp r1.y, r4.z dph r8.z, v0, c5 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.z, r1.xyz, c36 mul r9.xyz, r6.xyz, v1.x mad r10.xyz, r8.xyz, r5.x, r9.xyz mul r11.w, v3.y, c80.y mul r0.w, r11.w, c92.w mad r2.xyz, r7.xyz, r0.w, r10.xyz mad r3.xyz, -c92.xyz, v3.z, r2.xyz dp3 r4.x, v2, c0 dp3 r4.y, v2, c1 dp3 r4.z, v2, c2 dp3 r6.x, v2, c3 dp3 r6.y, v2, c4 dp3 r6.z, v2, c5 mul r7.xyz, r4.xyz, v1.x mad r8.xyz, r6.xyz, r5.x, r7.xyz dph oPos.x, r3, c21 dph oPos.y, r3, c22 dph oPos.z, r3, c23 dph oPos.w, r3, c24 dp3 r8.w, r8.xyz, r8.xyz dph oT0.x, v9, c9 mov r9, c58 +rsq r1.w, r8.w dph oT0.y, v9, c10 mul r10.xyz, r8.xyz, r1.w dp3 r11.x, r10, -c56 dp3 r11.y, r10, -c57 dph oFog.x, r3, c24 max r0.xy, r11.xy, c32.x mad r2, r0.x, c59, r9 mad r3, r0.y, c60, r2 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mul oD0, r3, c90 mad oPos.xyz, r12, r1.x, c-37 </pre> === geom.xvu === <pre> xvs.1.1 add r0.xyz, v0.xyz, c91.xyz mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mov oT0.xy, v9 mul oT1.xy, v9, c91.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === grass.xvu === <pre> xvs.1.1 add r0.xyz, v0, c91 mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mul oT0.xy, v9, c32.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorlight.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD0.xyz, r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.w, r4, c12 dph r7.y, r4, c10 dph r7.x, r4, c9 +rcp r1.w, r5.w dph oT1.x, r4, c13 max r6.w, r1.w, -r1.w mul oT0.xy, r7.xy, r6.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorshadow.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD1.xyz, -r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.x, r4, c9 dph r5.y, r4, c10 dph oT1.x, r4, c11 mul oT0.xy, r5.xy, c33 mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dp3 r2.x, r0.xyz, c92 dph oPos.w, r10, c24 mad oD0.xyz, r2.x, c32.y, c32.y dph r3.x, r10, c6 dph r3.y, r10, c7 dph r3.z, r10, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r4.w, r3, c12 dph r6.y, r3, c10 dph r6.x, r3, c9 +rcp r1.w, r4.w dph oT1.x, r3, c13 max r5.w, r1.w, -r1.w mul oT0.xy, r6.xy, r5.w mad oPos.xyz, r12, r1.x, c-37 </pre> === skin.xvu === '''Vertex attributes''' * v0.xyzw = Position * v1.x = vertex weight * v2.xyz = Normal * v9.xyz = Texture1 coordinates '''Constants''' * -c57.xyz = ? * -c56.xyz = ? * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c0.xyzw - c3.xyzw = matrix bone[0] ? * c3.xyzw - c5.xyzw = matrix bone[1] ? * c9.xyzw = Texture U matrix * c10.xyzw = Texture V matrix * c21.xyzw - c24.xyzw = projection-matrix ? * c32.x = CONSTANT() ? * c32.z = CONSTANT(1.0) * c58.xyzw = ? * c59.xyzw = ? * c60.xyzw = ? * c90.xyzw = factor for diffuse color '''Code''' <pre> xvs.1.1 # Get (1.0 - vertex weight) add r2.x, c32.z, -v1.x # Transform bone[0] normal ? dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 # Transform bone[1] normal ? dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 # r6.xyz = mix(r4.xyz, r3.xyz, v1.x) mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz # Transform bone[0] vertex dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 # Transform bone[1] vertex dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz # Calculate output position dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dph oPos.w, r10, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r10, c24 mov r2, c58 dp3 r3.x, r0, -c56 dp3 r3.y, r0, -c57 # Forward texture U dph oT0.x, v9, c9 max r4.xy, r3.xy, c32.x mad r5, r4.x, c59, r2 mad r6, r4.y, c60, r5 # Forward texture V dph oT0.y, v9, c10 # Forward diffuse color mul oD0, r6, c90 # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === wiggle.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 mov r3.xy, c48.x +mov oT0.xy, v9 dp3 r4.x, r2, c72 dp3 r4.y, r2, c73 mad r5.xy, r3.xy, c74.xy, r4.xy dp3 r6.x, v2, c0 mov r7.z, c32.x +exp r1.y, r5 exp r8.y, r5.y mul r1.x, r1.y, r1.y mul r8.x, r8.y, r8.y +mov oD0, c32.z mul r1.z, r1.x, r1.y mul r8.z, r8.x, r8.y dp3 r7.x, r1.xyz, c36 dp3 r7.y, r8.xyz, c36 dp3 r6.y, v2, c1 dp3 r6.z, v2, c2 dp3 r9.x, r7.xyz, c74.zw mul r10.xyz, r6, v3.x mad r11.xyz, r10, r9.x, r2 dph oPos.x, r11, c21 dph oPos.y, r11, c22 dph oPos.z, r11, c23 dph oPos.w, r11, c24 dph oFog.x, r11, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version Rendering happens in this order: # World # Skater #* Shader: cloth.xvu # HUD # Shadows ## Skater ##* Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ##* Shader: blackskin.xvu 8a8d979523ed8abc0b3711cba87d47378e2f81cc 6455 6454 2018-06-27T12:21:00Z JayFoxRox 2 More updates to skin.xvu wikitext text/x-wiki {{Game}} == Shaders == These shaders have been disassembled. Any comment was added manually and does not come from the game files. === blackskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dph r3.x, v0, c0 dph r3.y, v0, c1 dph r3.z, v0, c2 dph r4.x, v0, c3 dph r4.y, v0, c4 dph r4.z, v0, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph oPos.x, r6, c21 dph oPos.y, r6, c22 dph oPos.z, r6, c23 dph oPos.w, r6, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === cloth.xvu === <pre> xvs.1.1 mov r2.w, c48.x mul r3.w, r2.w, c80.z mad r4.xyz, c80.x, v0.xyz, r3.w add r5.x, c32.z, -v1.x dph r6.x, v0, c0 +exp r1.y, r4 dph r6.y, v0, c1 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.x, r1.xyz, c36 dph r6.z, v0, c2 +exp r1.y, r4.y dph r8.x, v0, c3 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.y, r1.xyz, c36 dph r8.y, v0, c4 +exp r1.y, r4.z dph r8.z, v0, c5 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.z, r1.xyz, c36 mul r9.xyz, r6.xyz, v1.x mad r10.xyz, r8.xyz, r5.x, r9.xyz mul r11.w, v3.y, c80.y mul r0.w, r11.w, c92.w mad r2.xyz, r7.xyz, r0.w, r10.xyz mad r3.xyz, -c92.xyz, v3.z, r2.xyz dp3 r4.x, v2, c0 dp3 r4.y, v2, c1 dp3 r4.z, v2, c2 dp3 r6.x, v2, c3 dp3 r6.y, v2, c4 dp3 r6.z, v2, c5 mul r7.xyz, r4.xyz, v1.x mad r8.xyz, r6.xyz, r5.x, r7.xyz dph oPos.x, r3, c21 dph oPos.y, r3, c22 dph oPos.z, r3, c23 dph oPos.w, r3, c24 dp3 r8.w, r8.xyz, r8.xyz dph oT0.x, v9, c9 mov r9, c58 +rsq r1.w, r8.w dph oT0.y, v9, c10 mul r10.xyz, r8.xyz, r1.w dp3 r11.x, r10, -c56 dp3 r11.y, r10, -c57 dph oFog.x, r3, c24 max r0.xy, r11.xy, c32.x mad r2, r0.x, c59, r9 mad r3, r0.y, c60, r2 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mul oD0, r3, c90 mad oPos.xyz, r12, r1.x, c-37 </pre> === geom.xvu === <pre> xvs.1.1 add r0.xyz, v0.xyz, c91.xyz mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mov oT0.xy, v9 mul oT1.xy, v9, c91.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === grass.xvu === <pre> xvs.1.1 add r0.xyz, v0, c91 mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mul oT0.xy, v9, c32.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorlight.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD0.xyz, r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.w, r4, c12 dph r7.y, r4, c10 dph r7.x, r4, c9 +rcp r1.w, r5.w dph oT1.x, r4, c13 max r6.w, r1.w, -r1.w mul oT0.xy, r7.xy, r6.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorshadow.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD1.xyz, -r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.x, r4, c9 dph r5.y, r4, c10 dph oT1.x, r4, c11 mul oT0.xy, r5.xy, c33 mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dp3 r2.x, r0.xyz, c92 dph oPos.w, r10, c24 mad oD0.xyz, r2.x, c32.y, c32.y dph r3.x, r10, c6 dph r3.y, r10, c7 dph r3.z, r10, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r4.w, r3, c12 dph r6.y, r3, c10 dph r6.x, r3, c9 +rcp r1.w, r4.w dph oT1.x, r3, c13 max r5.w, r1.w, -r1.w mul oT0.xy, r6.xy, r5.w mad oPos.xyz, r12, r1.x, c-37 </pre> === skin.xvu === '''Vertex attributes''' * v0.xyzw = Position * v1.x = vertex weight * v2.xyz = Normal * v9.xyz = Texture1 coordinates '''Constants''' * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c0.xyzw - c3.xyzw = matrix bone[0] ? * c3.xyzw - c5.xyzw = matrix bone[1] ? * c9.xyzw = Texture U matrix * c10.xyzw = Texture V matrix * c21.xyzw - c24.xyzw = projection-matrix ? * c32.x = CONSTANT() ? * c32.z = CONSTANT(1.0) * c56.xyz - c57.xyz = some normal matrix * c58.xyzw = ? * c59.xyzw = ? * c60.xyzw = ? * c90.xyzw = light diffuse color ? '''Code''' <pre> xvs.1.1 # Get (1.0 - vertex weight) add r2.x, c32.z, -v1.x # Transform bone[0] normal ? dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 # Transform bone[1] normal ? dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 # Blend normals: r6.xyz = mix(r4.xyz, r3.xyz, v1.x) mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz # Transform bone[0] vertex dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 # Transform bone[1] vertex dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 # Blend vertices: r10.xyz = mix(r8.xyz, r7.xyz, v1.x) mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz # Calculation squared normal length dp3 r11.w, r6.xyz, r6.xyz # Calculate output position (xy) dph oPos.y, r10, c22 dph oPos.x, r10, c21 # Turn squared normal length into length: r1.w = 1.0 / length(normal) +rsq r1.w, r11.w # Calculate output position (z) dph oPos.z, r10, c23 # Multiply normal by it's inverse length: r0.xyz = normalize(normal) mul r0.xyz, r6.xyz, r1.w # Calculate output position (w) dph oPos.w, r10, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r10, c24 # Dead code? mov r2, c58 # Something with normal.xy dp3 r3.x, r0, -c56 dp3 r3.y, r0, -c57 # Forward texture U dph oT0.x, v9, c9 # Something to do with lighting max r4.xy, r3.xy, c32.x mad r5, r4.x, c59, r2 mad r6, r4.y, c60, r5 # Forward texture V dph oT0.y, v9, c10 # Calculate diffuse color mul oD0, r6, c90 # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === wiggle.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 mov r3.xy, c48.x +mov oT0.xy, v9 dp3 r4.x, r2, c72 dp3 r4.y, r2, c73 mad r5.xy, r3.xy, c74.xy, r4.xy dp3 r6.x, v2, c0 mov r7.z, c32.x +exp r1.y, r5 exp r8.y, r5.y mul r1.x, r1.y, r1.y mul r8.x, r8.y, r8.y +mov oD0, c32.z mul r1.z, r1.x, r1.y mul r8.z, r8.x, r8.y dp3 r7.x, r1.xyz, c36 dp3 r7.y, r8.xyz, c36 dp3 r6.y, v2, c1 dp3 r6.z, v2, c2 dp3 r9.x, r7.xyz, c74.zw mul r10.xyz, r6, v3.x mad r11.xyz, r10, r9.x, r2 dph oPos.x, r11, c21 dph oPos.y, r11, c22 dph oPos.z, r11, c23 dph oPos.w, r11, c24 dph oFog.x, r11, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version Rendering happens in this order: # World # Skater #* Shader: cloth.xvu # HUD # Shadows ## Skater ##* Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ##* Shader: blackskin.xvu f8863635f992e7b62858592e05b8c6450e3df962 6456 6455 2018-06-27T12:36:27Z JayFoxRox 2 Annotation for grass.xvu wikitext text/x-wiki {{Game}} == Shaders == These shaders have been disassembled. Any comment was added manually and does not come from the game files. === blackskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dph r3.x, v0, c0 dph r3.y, v0, c1 dph r3.z, v0, c2 dph r4.x, v0, c3 dph r4.y, v0, c4 dph r4.z, v0, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph oPos.x, r6, c21 dph oPos.y, r6, c22 dph oPos.z, r6, c23 dph oPos.w, r6, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === cloth.xvu === <pre> xvs.1.1 mov r2.w, c48.x mul r3.w, r2.w, c80.z mad r4.xyz, c80.x, v0.xyz, r3.w add r5.x, c32.z, -v1.x dph r6.x, v0, c0 +exp r1.y, r4 dph r6.y, v0, c1 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.x, r1.xyz, c36 dph r6.z, v0, c2 +exp r1.y, r4.y dph r8.x, v0, c3 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.y, r1.xyz, c36 dph r8.y, v0, c4 +exp r1.y, r4.z dph r8.z, v0, c5 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.z, r1.xyz, c36 mul r9.xyz, r6.xyz, v1.x mad r10.xyz, r8.xyz, r5.x, r9.xyz mul r11.w, v3.y, c80.y mul r0.w, r11.w, c92.w mad r2.xyz, r7.xyz, r0.w, r10.xyz mad r3.xyz, -c92.xyz, v3.z, r2.xyz dp3 r4.x, v2, c0 dp3 r4.y, v2, c1 dp3 r4.z, v2, c2 dp3 r6.x, v2, c3 dp3 r6.y, v2, c4 dp3 r6.z, v2, c5 mul r7.xyz, r4.xyz, v1.x mad r8.xyz, r6.xyz, r5.x, r7.xyz dph oPos.x, r3, c21 dph oPos.y, r3, c22 dph oPos.z, r3, c23 dph oPos.w, r3, c24 dp3 r8.w, r8.xyz, r8.xyz dph oT0.x, v9, c9 mov r9, c58 +rsq r1.w, r8.w dph oT0.y, v9, c10 mul r10.xyz, r8.xyz, r1.w dp3 r11.x, r10, -c56 dp3 r11.y, r10, -c57 dph oFog.x, r3, c24 max r0.xy, r11.xy, c32.x mad r2, r0.x, c59, r9 mad r3, r0.y, c60, r2 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mul oD0, r3, c90 mad oPos.xyz, r12, r1.x, c-37 </pre> === geom.xvu === <pre> xvs.1.1 add r0.xyz, v0.xyz, c91.xyz mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mov oT0.xy, v9 mul oT1.xy, v9, c91.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === grass.xvu === '''Vertex attributes''' * v0.xyzw = Position * v3.xyzw = Diffuse color * v9.xy = Texture1 coordinates '''Constants''' * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c21.xyzw - c24.xyzw = world-view-projection-matrix ? * c32.w = texture scale * c91.xyz = object position '''Code''' <pre> xvs.1.1 # Add object position to vertex position add r0.xyz, v0, c91 # Forward diffuse color mov oD0, v3 # Calculate output position dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r0, c24 # Scale texture mul oT0.xy, v9, c32.w # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorlight.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD0.xyz, r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.w, r4, c12 dph r7.y, r4, c10 dph r7.x, r4, c9 +rcp r1.w, r5.w dph oT1.x, r4, c13 max r6.w, r1.w, -r1.w mul oT0.xy, r7.xy, r6.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorshadow.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD1.xyz, -r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.x, r4, c9 dph r5.y, r4, c10 dph oT1.x, r4, c11 mul oT0.xy, r5.xy, c33 mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dp3 r2.x, r0.xyz, c92 dph oPos.w, r10, c24 mad oD0.xyz, r2.x, c32.y, c32.y dph r3.x, r10, c6 dph r3.y, r10, c7 dph r3.z, r10, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r4.w, r3, c12 dph r6.y, r3, c10 dph r6.x, r3, c9 +rcp r1.w, r4.w dph oT1.x, r3, c13 max r5.w, r1.w, -r1.w mul oT0.xy, r6.xy, r5.w mad oPos.xyz, r12, r1.x, c-37 </pre> === skin.xvu === '''Vertex attributes''' * v0.xyzw = Position * v1.x = vertex weight * v2.xyz = Normal * v9.xyz = Texture1 coordinates '''Constants''' * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c0.xyzw - c3.xyzw = matrix bone[0] ? * c3.xyzw - c5.xyzw = matrix bone[1] ? * c9.xyzw = Texture U matrix * c10.xyzw = Texture V matrix * c21.xyzw - c24.xyzw = projection-matrix ? * c32.x = CONSTANT() ? * c32.z = CONSTANT(1.0) * c56.xyz - c57.xyz = some normal matrix * c58.xyzw = ? * c59.xyzw = ? * c60.xyzw = ? * c90.xyzw = light diffuse color ? '''Code''' <pre> xvs.1.1 # Get (1.0 - vertex weight) add r2.x, c32.z, -v1.x # Transform bone[0] normal ? dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 # Transform bone[1] normal ? dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 # Blend normals: r6.xyz = mix(r4.xyz, r3.xyz, v1.x) mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz # Transform bone[0] vertex dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 # Transform bone[1] vertex dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 # Blend vertices: r10.xyz = mix(r8.xyz, r7.xyz, v1.x) mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz # Calculation squared normal length dp3 r11.w, r6.xyz, r6.xyz # Calculate output position (xy) dph oPos.y, r10, c22 dph oPos.x, r10, c21 # Turn squared normal length into length: r1.w = 1.0 / length(normal) +rsq r1.w, r11.w # Calculate output position (z) dph oPos.z, r10, c23 # Multiply normal by it's inverse length: r0.xyz = normalize(normal) mul r0.xyz, r6.xyz, r1.w # Calculate output position (w) dph oPos.w, r10, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r10, c24 # Dead code? mov r2, c58 # Something with normal.xy dp3 r3.x, r0, -c56 dp3 r3.y, r0, -c57 # Forward texture U dph oT0.x, v9, c9 # Something to do with lighting max r4.xy, r3.xy, c32.x mad r5, r4.x, c59, r2 mad r6, r4.y, c60, r5 # Forward texture V dph oT0.y, v9, c10 # Calculate diffuse color mul oD0, r6, c90 # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === wiggle.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 mov r3.xy, c48.x +mov oT0.xy, v9 dp3 r4.x, r2, c72 dp3 r4.y, r2, c73 mad r5.xy, r3.xy, c74.xy, r4.xy dp3 r6.x, v2, c0 mov r7.z, c32.x +exp r1.y, r5 exp r8.y, r5.y mul r1.x, r1.y, r1.y mul r8.x, r8.y, r8.y +mov oD0, c32.z mul r1.z, r1.x, r1.y mul r8.z, r8.x, r8.y dp3 r7.x, r1.xyz, c36 dp3 r7.y, r8.xyz, c36 dp3 r6.y, v2, c1 dp3 r6.z, v2, c2 dp3 r9.x, r7.xyz, c74.zw mul r10.xyz, r6, v3.x mad r11.xyz, r10, r9.x, r2 dph oPos.x, r11, c21 dph oPos.y, r11, c22 dph oPos.z, r11, c23 dph oPos.w, r11, c24 dph oFog.x, r11, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version Rendering happens in this order: # World # Skater #* Shader: cloth.xvu # HUD # Shadows ## Skater ##* Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ##* Shader: blackskin.xvu 9dfa4c071776050439ce0859232b36355530c1c6 6457 6456 2018-06-27T12:41:14Z JayFoxRox 2 Fix bugs in grass.xvu wikitext text/x-wiki {{Game}} == Shaders == These shaders have been disassembled. Any comment was added manually and does not come from the game files. === blackskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dph r3.x, v0, c0 dph r3.y, v0, c1 dph r3.z, v0, c2 dph r4.x, v0, c3 dph r4.y, v0, c4 dph r4.z, v0, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph oPos.x, r6, c21 dph oPos.y, r6, c22 dph oPos.z, r6, c23 dph oPos.w, r6, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === cloth.xvu === <pre> xvs.1.1 mov r2.w, c48.x mul r3.w, r2.w, c80.z mad r4.xyz, c80.x, v0.xyz, r3.w add r5.x, c32.z, -v1.x dph r6.x, v0, c0 +exp r1.y, r4 dph r6.y, v0, c1 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.x, r1.xyz, c36 dph r6.z, v0, c2 +exp r1.y, r4.y dph r8.x, v0, c3 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.y, r1.xyz, c36 dph r8.y, v0, c4 +exp r1.y, r4.z dph r8.z, v0, c5 mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.z, r1.xyz, c36 mul r9.xyz, r6.xyz, v1.x mad r10.xyz, r8.xyz, r5.x, r9.xyz mul r11.w, v3.y, c80.y mul r0.w, r11.w, c92.w mad r2.xyz, r7.xyz, r0.w, r10.xyz mad r3.xyz, -c92.xyz, v3.z, r2.xyz dp3 r4.x, v2, c0 dp3 r4.y, v2, c1 dp3 r4.z, v2, c2 dp3 r6.x, v2, c3 dp3 r6.y, v2, c4 dp3 r6.z, v2, c5 mul r7.xyz, r4.xyz, v1.x mad r8.xyz, r6.xyz, r5.x, r7.xyz dph oPos.x, r3, c21 dph oPos.y, r3, c22 dph oPos.z, r3, c23 dph oPos.w, r3, c24 dp3 r8.w, r8.xyz, r8.xyz dph oT0.x, v9, c9 mov r9, c58 +rsq r1.w, r8.w dph oT0.y, v9, c10 mul r10.xyz, r8.xyz, r1.w dp3 r11.x, r10, -c56 dp3 r11.y, r10, -c57 dph oFog.x, r3, c24 max r0.xy, r11.xy, c32.x mad r2, r0.x, c59, r9 mad r3, r0.y, c60, r2 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mul oD0, r3, c90 mad oPos.xyz, r12, r1.x, c-37 </pre> === geom.xvu === <pre> xvs.1.1 add r0.xyz, v0.xyz, c91.xyz mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mov oT0.xy, v9 mul oT1.xy, v9, c91.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === grass.xvu === '''Vertex attributes''' * v0.xyz = Position * v3.xyzw = Diffuse color * v9.xy = Texture1 coordinates '''Constants''' * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c21.xyzw - c24.xyzw = world-view-projection-matrix ? * c32.w = Texture1 scale * c91.xyz = Object position '''Code''' <pre> xvs.1.1 # Add object position to vertex position add r0.xyz, v0, c91 # Forward diffuse color mov oD0, v3 # Calculate output position dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r0, c24 # Scale texture mul oT0.xy, v9, c32.w # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorlight.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD0.xyz, r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.w, r4, c12 dph r7.y, r4, c10 dph r7.x, r4, c9 +rcp r1.w, r5.w dph oT1.x, r4, c13 max r6.w, r1.w, -r1.w mul oT0.xy, r7.xy, r6.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorshadow.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD1.xyz, -r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.x, r4, c9 dph r5.y, r4, c10 dph oT1.x, r4, c11 mul oT0.xy, r5.xy, c33 mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dp3 r2.x, r0.xyz, c92 dph oPos.w, r10, c24 mad oD0.xyz, r2.x, c32.y, c32.y dph r3.x, r10, c6 dph r3.y, r10, c7 dph r3.z, r10, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r4.w, r3, c12 dph r6.y, r3, c10 dph r6.x, r3, c9 +rcp r1.w, r4.w dph oT1.x, r3, c13 max r5.w, r1.w, -r1.w mul oT0.xy, r6.xy, r5.w mad oPos.xyz, r12, r1.x, c-37 </pre> === skin.xvu === '''Vertex attributes''' * v0.xyzw = Position * v1.x = vertex weight * v2.xyz = Normal * v9.xyz = Texture1 coordinates '''Constants''' * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c0.xyzw - c3.xyzw = matrix bone[0] ? * c3.xyzw - c5.xyzw = matrix bone[1] ? * c9.xyzw = Texture U matrix * c10.xyzw = Texture V matrix * c21.xyzw - c24.xyzw = projection-matrix ? * c32.x = CONSTANT() ? * c32.z = CONSTANT(1.0) * c56.xyz - c57.xyz = some normal matrix * c58.xyzw = ? * c59.xyzw = ? * c60.xyzw = ? * c90.xyzw = light diffuse color ? '''Code''' <pre> xvs.1.1 # Get (1.0 - vertex weight) add r2.x, c32.z, -v1.x # Transform bone[0] normal ? dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 # Transform bone[1] normal ? dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 # Blend normals: r6.xyz = mix(r4.xyz, r3.xyz, v1.x) mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz # Transform bone[0] vertex dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 # Transform bone[1] vertex dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 # Blend vertices: r10.xyz = mix(r8.xyz, r7.xyz, v1.x) mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz # Calculation squared normal length dp3 r11.w, r6.xyz, r6.xyz # Calculate output position (xy) dph oPos.y, r10, c22 dph oPos.x, r10, c21 # Turn squared normal length into length: r1.w = 1.0 / length(normal) +rsq r1.w, r11.w # Calculate output position (z) dph oPos.z, r10, c23 # Multiply normal by it's inverse length: r0.xyz = normalize(normal) mul r0.xyz, r6.xyz, r1.w # Calculate output position (w) dph oPos.w, r10, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r10, c24 # Dead code? mov r2, c58 # Something with normal.xy dp3 r3.x, r0, -c56 dp3 r3.y, r0, -c57 # Forward texture U dph oT0.x, v9, c9 # Something to do with lighting max r4.xy, r3.xy, c32.x mad r5, r4.x, c59, r2 mad r6, r4.y, c60, r5 # Forward texture V dph oT0.y, v9, c10 # Calculate diffuse color mul oD0, r6, c90 # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === wiggle.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 mov r3.xy, c48.x +mov oT0.xy, v9 dp3 r4.x, r2, c72 dp3 r4.y, r2, c73 mad r5.xy, r3.xy, c74.xy, r4.xy dp3 r6.x, v2, c0 mov r7.z, c32.x +exp r1.y, r5 exp r8.y, r5.y mul r1.x, r1.y, r1.y mul r8.x, r8.y, r8.y +mov oD0, c32.z mul r1.z, r1.x, r1.y mul r8.z, r8.x, r8.y dp3 r7.x, r1.xyz, c36 dp3 r7.y, r8.xyz, c36 dp3 r6.y, v2, c1 dp3 r6.z, v2, c2 dp3 r9.x, r7.xyz, c74.zw mul r10.xyz, r6, v3.x mad r11.xyz, r10, r9.x, r2 dph oPos.x, r11, c21 dph oPos.y, r11, c22 dph oPos.z, r11, c23 dph oPos.w, r11, c24 dph oFog.x, r11, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version Rendering happens in this order: # World # Skater #* Shader: cloth.xvu # HUD # Shadows ## Skater ##* Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ##* Shader: blackskin.xvu e521697312fab88a10973e75f102b2abc793610c 6483 6457 2018-08-17T23:34:05Z JayFoxRox 2 Add rough comments, based on skin.xvu knowledge wikitext text/x-wiki {{Game}} == Shaders == These shaders have been disassembled. Any comment was added manually and does not come from the game files. === blackskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dph r3.x, v0, c0 dph r3.y, v0, c1 dph r3.z, v0, c2 dph r4.x, v0, c3 dph r4.y, v0, c4 dph r4.z, v0, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph oPos.x, r6, c21 dph oPos.y, r6, c22 dph oPos.z, r6, c23 dph oPos.w, r6, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === cloth.xvu === <pre> xvs.1.1 # Unknown mov r2.w, c48.x mul r3.w, r2.w, c80.z mad r4.xyz, c80.x, v0.xyz, r3.w # Get (1.0 - vertex weight) add r5.x, c32.z, -v1.x # Transform bone[0] vertex.x dph r6.x, v0, c0 # Unknown +exp r1.y, r4 # Transform bone[0] vertex.y dph r6.y, v0, c1 # Unknown mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.x, r1.xyz, c36 # Transform bone[0] vertex.z dph r6.z, v0, c2 # Unknown +exp r1.y, r4.y # Transform bone[1] vertex.x dph r8.x, v0, c3 # Unknown mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.y, r1.xyz, c36 # Transform bone[1] vertex.y dph r8.y, v0, c4 # Unknown +exp r1.y, r4.z # Transform bone[1] vertex.z dph r8.z, v0, c5 # Unknown mul r1.x, r1.y, r1.y mul r1.z, r1.x, r1.y dp3 r7.z, r1.xyz, c36 # Blend vertices: r10.xyz = mix(r8.xyz, r6.xyz, v1.x) mul r9.xyz, r6.xyz, v1.x mad r10.xyz, r8.xyz, r5.x, r9.xyz # Unknown mul r11.w, v3.y, c80.y mul r0.w, r11.w, c92.w mad r2.xyz, r7.xyz, r0.w, r10.xyz mad r3.xyz, -c92.xyz, v3.z, r2.xyz # Transform bone[0] normal ? dp3 r4.x, v2, c0 dp3 r4.y, v2, c1 dp3 r4.z, v2, c2 # Transform bone[1] normal ? dp3 r6.x, v2, c3 dp3 r6.y, v2, c4 dp3 r6.z, v2, c5 # Blend vertices: r8.xyz = mix(r6.xyz, r4.xyz, v1.x) mul r7.xyz, r4.xyz, v1.x mad r8.xyz, r6.xyz, r5.x, r7.xyz # Calculate output position dph oPos.x, r3, c21 dph oPos.y, r3, c22 dph oPos.z, r3, c23 dph oPos.w, r3, c24 # Calculation squared normal length dp3 r8.w, r8.xyz, r8.xyz # Forward texture U dph oT0.x, v9, c9 # Unknown mov r9, c58 # Turn squared normal length into length: r1.w = 1.0 / length(normal) +rsq r1.w, r8.w # Forward texture V dph oT0.y, v9, c10 # Unknown mul r10.xyz, r8.xyz, r1.w dp3 r11.x, r10, -c56 dp3 r11.y, r10, -c57 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r3, c24 # Something to do with lighting max r0.xy, r11.xy, c32.x mad r2, r0.x, c59, r9 mad r3, r0.y, c60, r2 # Viewport or something? (D3D boilerplate part 1) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w # Calculate diffuse color mul oD0, r3, c90 # Viewport or something? (D3D boilerplate part 2) mad oPos.xyz, r12, r1.x, c-37 </pre> === geom.xvu === <pre> xvs.1.1 add r0.xyz, v0.xyz, c91.xyz mov oD0, v3 dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 dph oFog.x, r0, c24 mov oT0.xy, v9 mul oT1.xy, v9, c91.w mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === grass.xvu === '''Vertex attributes''' * v0.xyz = Position * v3.xyzw = Diffuse color * v9.xy = Texture1 coordinates '''Constants''' * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c21.xyzw - c24.xyzw = world-view-projection-matrix ? * c32.w = Texture1 scale * c91.xyz = Object position '''Code''' <pre> xvs.1.1 # Add object position to vertex position add r0.xyz, v0, c91 # Forward diffuse color mov oD0, v3 # Calculate output position dph oPos.x, r0, c21 dph oPos.y, r0, c22 dph oPos.z, r0, c23 dph oPos.w, r0, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r0, c24 # Scale texture mul oT0.xy, v9, c32.w # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorlight.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD0.xyz, r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.w, r4, c12 dph r7.y, r4, c10 dph r7.x, r4, c9 +rcp r1.w, r5.w dph oT1.x, r4, c13 max r6.w, r1.w, -r1.w mul oT0.xy, r7.xy, r6.w mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorshadow.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 dp3 r3.x, v2, c92 dph oPos.x, r2, c21 dph oPos.y, r2, c22 dph oPos.z, r2, c23 dph oPos.w, r2, c24 mad oD1.xyz, -r3.x, c32.y, c32.y dph r4.x, r2, c6 dph r4.y, r2, c7 dph r4.z, r2, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r5.x, r4, c9 dph r5.y, r4, c10 dph oT1.x, r4, c11 mul oT0.xy, r5.xy, c33 mad oPos.xyz, r12, r1.x, c-37 </pre> === projectorskin.xvu === <pre> xvs.1.1 add r2.x, c32.z, -v1.x dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz dp3 r11.w, r6.xyz, r6.xyz dph oPos.y, r10, c22 dph oPos.x, r10, c21 +rsq r1.w, r11.w dph oPos.z, r10, c23 mul r0.xyz, r6.xyz, r1.w dp3 r2.x, r0.xyz, c92 dph oPos.w, r10, c24 mad oD0.xyz, r2.x, c32.y, c32.y dph r3.x, r10, c6 dph r3.y, r10, c7 dph r3.z, r10, c8 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w dph r4.w, r3, c12 dph r6.y, r3, c10 dph r6.x, r3, c9 +rcp r1.w, r4.w dph oT1.x, r3, c13 max r5.w, r1.w, -r1.w mul oT0.xy, r6.xy, r5.w mad oPos.xyz, r12, r1.x, c-37 </pre> === skin.xvu === '''Vertex attributes''' * v0.xyzw = Position * v1.x = vertex weight * v2.xyz = Normal * v9.xyz = Texture1 coordinates '''Constants''' * c-38.xyz = viewport? (D3D boilerplate) * c-37.xyz = viewport? (D3D boilerplate) * c0.xyzw - c3.xyzw = matrix bone[0] ? * c3.xyzw - c5.xyzw = matrix bone[1] ? * c9.xyzw = Texture U matrix * c10.xyzw = Texture V matrix * c21.xyzw - c24.xyzw = projection-matrix ? * c32.x = CONSTANT() ? * c32.z = CONSTANT(1.0) * c56.xyz - c57.xyz = some normal matrix * c58.xyzw = ? * c59.xyzw = ? * c60.xyzw = ? * c90.xyzw = light diffuse color ? '''Code''' <pre> xvs.1.1 # Get (1.0 - vertex weight) add r2.x, c32.z, -v1.x # Transform bone[0] normal ? dp3 r3.x, v2, c0 dp3 r3.y, v2, c1 dp3 r3.z, v2, c2 # Transform bone[1] normal ? dp3 r4.x, v2, c3 dp3 r4.y, v2, c4 dp3 r4.z, v2, c5 # Blend normals: r6.xyz = mix(r4.xyz, r3.xyz, v1.x) mul r5.xyz, r3.xyz, v1.x mad r6.xyz, r4.xyz, r2.x, r5.xyz # Transform bone[0] vertex dph r7.x, v0, c0 dph r7.y, v0, c1 dph r7.z, v0, c2 # Transform bone[1] vertex dph r8.x, v0, c3 dph r8.y, v0, c4 dph r8.z, v0, c5 # Blend vertices: r10.xyz = mix(r8.xyz, r7.xyz, v1.x) mul r9.xyz, r7.xyz, v1.x mad r10.xyz, r8.xyz, r2.x, r9.xyz # Calculation squared normal length dp3 r11.w, r6.xyz, r6.xyz # Calculate output position (xy) dph oPos.y, r10, c22 dph oPos.x, r10, c21 # Turn squared normal length into length: r1.w = 1.0 / length(normal) +rsq r1.w, r11.w # Calculate output position (z) dph oPos.z, r10, c23 # Multiply normal by it's inverse length: r0.xyz = normalize(normal) mul r0.xyz, r6.xyz, r1.w # Calculate output position (w) dph oPos.w, r10, c24 # Generate fog depth (same as oPos.w - somehow not optimized?) dph oFog.x, r10, c24 # Dead code? mov r2, c58 # Something with normal.xy dp3 r3.x, r0, -c56 dp3 r3.y, r0, -c57 # Forward texture U dph oT0.x, v9, c9 # Something to do with lighting max r4.xy, r3.xy, c32.x mad r5, r4.x, c59, r2 mad r6, r4.y, c60, r5 # Forward texture V dph oT0.y, v9, c10 # Calculate diffuse color mul oD0, r6, c90 # Viewport or something? (D3D boilerplate) mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> === wiggle.xvu === <pre> xvs.1.1 dph r2.x, v0, c0 dph r2.y, v0, c1 dph r2.z, v0, c2 mov r3.xy, c48.x +mov oT0.xy, v9 dp3 r4.x, r2, c72 dp3 r4.y, r2, c73 mad r5.xy, r3.xy, c74.xy, r4.xy dp3 r6.x, v2, c0 mov r7.z, c32.x +exp r1.y, r5 exp r8.y, r5.y mul r1.x, r1.y, r1.y mul r8.x, r8.y, r8.y +mov oD0, c32.z mul r1.z, r1.x, r1.y mul r8.z, r8.x, r8.y dp3 r7.x, r1.xyz, c36 dp3 r7.y, r8.xyz, c36 dp3 r6.y, v2, c1 dp3 r6.z, v2, c2 dp3 r9.x, r7.xyz, c74.zw mul r10.xyz, r6, v3.x mad r11.xyz, r10, r9.x, r2 dph oPos.x, r11, c21 dph oPos.y, r11, c22 dph oPos.z, r11, c23 dph oPos.w, r11, c24 dph oFog.x, r11, c24 mul oPos.xyz, r12, c-38 +rcc r1.x, r12.w mad oPos.xyz, r12, r1.x, c-37 </pre> == Demo == There was a demo released for ??? on ???. === Rendering in the Demo === This is a rundown of how the scene is being rendered in the THPS2X Demo version Rendering happens in this order: # World # Skater #* Shader: cloth.xvu # HUD # Shadows ## Skater ##* Skater shadows are rendered into a 256x256 texture after the entire scene has been rendered ##* Shader: blackskin.xvu 0b639ba771fa3c4c183668a4e63d69848ac5bbbd 0 11 6458 6429 2018-07-03T19:12:26Z JayFoxRox 2 /* Protocol */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x1000 for input ** 0x2000 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 9 * wValue: 0x2000 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x1000 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported. * ACK if supported. * NAK if supported but no changes since last ACK. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] debe776229aa08e4b65e6ae49a03a28e3e72b800 6459 6458 2018-07-03T23:28:32Z JayFoxRox 2 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported. * ACK if supported. * NAK if supported but no changes since last ACK. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 076a84b05479d2e690f79bf6e792a9a5f9a53096 6460 6459 2018-07-04T02:24:33Z JayFoxRox 2 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported. * ACK if supported. * NAK if supported but no changes since last ACK. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 15f894d8e80c49044dde6fec249a836ce976ca0a 6462 6460 2018-07-04T22:39:34Z JayFoxRox 2 /* GET_REPORT */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 4e70f540d209f6ab064e0c31c74ba20b66ae21ae 6463 6462 2018-07-04T22:40:40Z JayFoxRox 2 /* Interrupt transfers */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] eef4b18b792728ec6a95bef70ec77fd3e4ee7398 6464 6463 2018-07-04T23:48:59Z JayFoxRox 2 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] c4c3a629c14cb541d221fdeaaf599da86723df2e 6465 6464 2018-07-04T23:51:21Z JayFoxRox 2 /* GET_DESCRIPTOR */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Green |USB D- |- |2 |White |USB D+ |- |3 |Black |GND |- |4 |Red |VCC |- |5 |Yellow |VBlank signal from video output (for Lightguns) |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 115450aba0da99cc1b94645b78ee9d480300f09c 0 3822 6461 5945 2018-07-04T20:07:02Z Codeasm 2480 Added details that people suggested based on undisclosed sources wikitext text/x-wiki There are a few hardware diferences and software diferences between development kits, but generaly the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are diferences internaly from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the developement kits and debugkits. Some rare boards are found with diferent MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unkown port) its been rumoured that the blocked USB port (unblocked on DVT3) on the back of Developement kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. The alpha hardware allowed kernel debuging to be done over one of the rs232 ports and standard WinDBG software can make these messages and control work. This allows of carefull debugging of the running kernel and diagnose occuring faults or errors. At early boot of the recovery software an network ip adress is attempted to setup probbaly for another way of diagnosing and remote control using the availeble software like later xdk software. The Alpha is build with the following parts or software: === Alpha I === * Intel VC820, running a prerelease Bios * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforce 2 GTS 64MB * An xircom PCPGI2(OPTI 82C861) 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} * Hard drive is a WD205AA (20.5 Gb) or fujitsu MPF3204AT (20.4 Gb) * ATNG 250w or a 300w powersupply These where then programmed by use of a recovery disk that "recovered" the system. The case is a customized globalwin ycc-802. (color silver and an added jewel) === Apha II === The Alpha II was a upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN * Nvidia Geforce3 NV20 (64MB ram) with a Preretail firmware (180-p0050-0000-a09) An supplied Recovery made the nececairy firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha/ Same hardware as a Alpha I/II, but you dont seem to need the preretail firmwares or bioses. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out suboard isnt nececairy, as VGA seems to work fine. color or diferent kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while on purpose incorrectly installed or configured the computer. These results may vary with official parts, configs, bios or firmware. Or due to diferences in hardware. these are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primairy channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for the particular motherboard that was under test. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS).DVT3 seems to have the back USB port to be uncovered and a slightly more glossy or shinier jewel on the top of the case. According to some sources, the DVT3 cannot be updated to further kernels/dashboards than 3911, the lowest/oldest being 3823.1(Borman said this?){{citation needed}} All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] f50558dd171ccb5947e25c3ceeeceee2ff82f28a 6 3956 6466 2018-07-06T20:41:08Z Haxar 2485 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6468 6466 2018-07-07T01:25:47Z Haxar 2485 Haxar uploaded a new version of [[File:Haxar-a20m.jpg]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 3751 6467 6374 2018-07-06T20:47:31Z Haxar 2485 /* A20M# hack */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 3f4ca1c4960775ccf6d3e3cf72ffb63a5aa5e811 6471 6467 2018-07-12T22:59:57Z DarkGabbz 2486 some grammar fixing wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Untested * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] c508e6b5838331101a75a518536ce6dbeee4af33 6491 6471 2018-08-29T21:48:51Z JayFoxRox 2 Attack tested: I've mapped GP DSP scratch mem and DMA'd to X-mem; read it back using CPU: Memory repeats wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Partial system reset using 0xCF9 I/O register | Only crashes so far, mostly untested |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Untested |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 5053f0439b1d629211ef184a1dab0438252e6069 6492 6491 2018-08-31T02:42:19Z JayFoxRox 2 More reports from yesterday wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 5833394c048ae618024adba0f08b785241f7a311 6493 6492 2018-08-31T12:48:43Z JayFoxRox 2 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device (theory is dead if this does not work; one last hope: hope for signal runtimes and use CPU) * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept, I'll probably try to use the CPU fallback, but I don't expect anything. No interest in doing NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only, someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept phase, needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 9fd7dd5c272e5fa0c436f721f7cc97db7cdd2245 6494 6493 2018-08-31T14:49:04Z JayFoxRox 2 Update state of my proposals wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 83eaf2480c66d06561e83e55bcc7e979a90a6cf1 0 3762 6469 6001 2018-07-11T17:45:24Z JayFoxRox 2 Add wikipedia links for flash memory and LPC wikitext text/x-wiki The Flash is a 256 kiB or 1 MiB [[Wikipedia:Flash_memory|non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip]] and connected to the [[MCPX]] via the [[Wikipedia:Low Pin Count|<abbr title="Low Pin Count">LPC</abbr>]] bus. The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MiB; 0xFFFC0000, if the ROM is 256 kiB) into the but the Xbox kernel. For the content of the Microsoft flash images see [[BIOS]]. 4179697eadbe72a77f277ef2c8609ab94225af98 0 3772 6470 6203 2018-07-11T18:01:01Z JayFoxRox 2 /* Steps to activate Soundtrack Easter Egg: */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press {{input-y}}, {{input-x}} while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press "INFO" button on the DVD Playback Kit remote. Only visible with DVD Playback Kit and Remote: #Start playing a song using either the Xbox controller or playback kit remote. #Press {{input-y}}, {{input-x}} on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield{{FIXME|reason=replace lengthy explanation with a video of this}}. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] 91c9919af69361f76d6b49879a94c54fce4fe48e 4 3957 6472 2018-07-14T21:56:30Z JayFoxRox 2 Created page with "[https://github.com/XboxDev/XboxDev To find out more about XboxDev please read our information on GitHub]" wikitext text/x-wiki [https://github.com/XboxDev/XboxDev To find out more about XboxDev please read our information on GitHub] ef6cb22f1ffed4fb0e09c8a697f52b60f6004ff8 0 3800 6473 5804 2018-07-14T23:28:34Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == DMA == ''This section is very incomplete and not much was tested on hardware either'' Sample formats: * 0x0 = 8 bit * 0x1 = 16 bit * 0x2 = 24 bit in MSB * 0x3 = 32 bit * 0x4 * 0x5 * 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) * 0x7 Buffers: * 0x0 = FIFO0 * 0x1 = FIFO1 * 0x2 = FIFO2{{citation needed}} * 0x3 = FIFO3{{citation needed}} * 0x4 * 0x5 * 0x6 * 0x7 * 0x8 * 0x9 * 0xA * 0xB * 0xC * 0xD * 0xE = Circular * 0xF == Related links == * [https://github.com/XboxDev/a56 Modernized fork of A56, open-source assembler for the similar 56000 architecture] ae02658d5fbe7e654d090b6703b41efc9a68126f 6474 6473 2018-07-14T23:28:50Z JayFoxRox 2 /* Related links */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == DMA == ''This section is very incomplete and not much was tested on hardware either'' Sample formats: * 0x0 = 8 bit * 0x1 = 16 bit * 0x2 = 24 bit in MSB * 0x3 = 32 bit * 0x4 * 0x5 * 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) * 0x7 Buffers: * 0x0 = FIFO0 * 0x1 = FIFO1 * 0x2 = FIFO2{{citation needed}} * 0x3 = FIFO3{{citation needed}} * 0x4 * 0x5 * 0x6 * 0x7 * 0x8 * 0x9 * 0xA * 0xB * 0xC * 0xD * 0xE = Circular * 0xF == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 511cc58fce307aef654eac1b58e74be42d0b4ea2 6476 6474 2018-07-23T18:10:55Z JayFoxRox 2 I've measured memory sizes of the Xbox DSPs using a program wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size |- ! GP | 4096{{FIXME|reason=Unconfirmed}} x 24-bit | 4096 x 24-bit | 2048 x 24-bit |- ! EP | 4096{{FIXME|reason=Unconfirmed}} x 24-bit | 3072 x 24-bit | 256 x 24-bit |} Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' Sample formats: * 0x0 = 8 bit * 0x1 = 16 bit * 0x2 = 24 bit in MSB * 0x3 = 32 bit * 0x4 * 0x5 * 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) * 0x7 Buffers: * 0x0 = FIFO0 * 0x1 = FIFO1 * 0x2 = FIFO2{{citation needed}} * 0x3 = FIFO3{{citation needed}} * 0x4 * 0x5 * 0x6 * 0x7 * 0x8 * 0x9 * 0xA * 0xB * 0xC * 0xD * 0xE = Circular * 0xF == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 9d8f07346493c696003255b7f981d9cd6272f314 6477 6476 2018-07-23T18:40:33Z JayFoxRox 2 Confirmed using a small test program which would grow and eventually stop working as it exceeds program memory wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit |} Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' Sample formats: * 0x0 = 8 bit * 0x1 = 16 bit * 0x2 = 24 bit in MSB * 0x3 = 32 bit * 0x4 * 0x5 * 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) * 0x7 Buffers: * 0x0 = FIFO0 * 0x1 = FIFO1 * 0x2 = FIFO2{{citation needed}} * 0x3 = FIFO3{{citation needed}} * 0x4 * 0x5 * 0x6 * 0x7 * 0x8 * 0x9 * 0xA * 0xB * 0xC * 0xD * 0xE = Circular * 0xF == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] b75940bcff3f914f1aa77b7d6efc28c8ac8e5605 6478 6477 2018-07-23T20:16:10Z JayFoxRox 2 Added some existing knowledge from XQEMU. Take this with grain of salt. wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit |} Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Circular ** 0xF * Sample format (Bit-offset 10; 3-bits). ** 0x0 = 8 bit ** 0x1 = 16 bit ** 0x2 = 24 bit in MSB ** 0x3 = 32 bit ** 0x4 ** 0x5 ** 0x6 = 24 bit in LSB (also endianess switched?{{citation needed}}) ** 0x7 |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || The start of the buffer. |- ! 6 | Buffer limit || The end of the buffer. For 0x1000 bytes, this has to be 0xFFF.{{FIXME|reason=Is this independent of the base?}} |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] d11ca6bfdf743839df02bf37f5accfc09ab867d9 6479 6478 2018-07-24T01:55:13Z JayFoxRox 2 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit |} Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Circular ** 0xF * Sample format (Bit-offset 10; 3-bits). ** 0x0 = 8 bit ** 0x1 = 16 bit ** 0x2 = 24 bit in MSB ** 0x3 = 32 bit ** 0x4 ** 0x5 ** 0x6 = 24 bit in LSB ** 0x7 * Step size (Bit-offset 14; unknown size). ** 0 = Keeps reading from same source offset ** 1 = Reads every sample ** 2 = Reads every second sample ** ... |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || The start of the buffer. |- ! 6 | Buffer limit || The end of the buffer. For 0x1000 bytes, this has to be 0xFFF.{{FIXME|reason=Is this independent of the base?}} |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 75a3552ba8ac44b43ba6fd27937168396517ed41 6480 6479 2018-07-24T15:40:00Z JayFoxRox 2 Add note about MIXBUF wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Circular ** 0xF * Sample format (Bit-offset 10; 3-bits). ** 0x0 = 8 bit ** 0x1 = 16 bit ** 0x2 = 24 bit in MSB ** 0x3 = 32 bit ** 0x4 ** 0x5 ** 0x6 = 24 bit in LSB ** 0x7 * Step size (Bit-offset 14; unknown size). ** 0 = Keeps reading from same source offset ** 1 = Reads every sample ** 2 = Reads every second sample ** ... |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || The start of the buffer. |- ! 6 | Buffer limit || The end of the buffer. For 0x1000 bytes, this has to be 0xFFF.{{FIXME|reason=Is this independent of the base?}} |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 18d3725e9f58be4543afec084e97980170b455b4 6490 6480 2018-08-29T20:49:34Z JayFoxRox 2 /* Command blocks */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Circular ** 0xF * Sample format (Bit-offset 10; 3-bits). ** 0x0 = 7 bit (all values are OR'd with 0x80) ** 0x1 = 16 bit ** 0x2 = 24 bit in MSB ** 0x3 = 32 bit (2 words per value: first word receives 24 bit, the next word only 8 bit) ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB ** 0x7 = ''Transfer skipped'' * Step size (Bit-offset 14; unknown size). ** 0 = Keeps reading from same source offset ** 1 = Reads every sample ** 2 = Reads every second sample ** ... |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || The start of the buffer. |- ! 6 | Buffer limit || The end of the buffer. For 0x1000 bytes, this has to be 0xFFF.{{FIXME|reason=Is this independent of the base?}} |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 4ad95d3a2075b3aded28d4bdbd9b0cac36065e42 0 3748 6475 6421 2018-07-19T22:16:31Z DarkGabbz 2486 wikitext text/x-wiki The System Management Controller (SMC) is a PIC16LC63A-04/SO microcontroller which handles a variety of tasks on the Xbox. This includes rebooting the system, returning the connected kind of video cable, the DVD tray state, controlling the fan, LED control and sensing temperature. It is also the hardware which is connected to the Power and Eject buttons. The PIC is running at 20 MHz with its own ROM, RAM and I/O lines. The PIC is always running, even if the Xbox is turned off. When the power cable is unplugged, it gets its energy from a capacitor for some hours. It is connected via I²C and located on address 0x10. == Revisions == The chip is also marked with a revision. Known revisions include: * P01 * P05 * P11 * P2L{{citation needed}} * D01 (Seen in a debug kit) * D05 (seen in a earlier model chihiro) b0be408e2fe1a1b8a599eebb385a716fc8383fc7 0 3 6481 6232 2018-08-11T23:36:58Z JayFoxRox 2 Added articles by Rich Geldreich about deferred rendering wikitext text/x-wiki == Xbox Post-Mortems by developers == * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] 7c314c8b45d45164dcbf8c75332dd419efd64eab 6482 6481 2018-08-11T23:38:49Z JayFoxRox 2 /* Xbox Post-Mortems by developers */ wikitext text/x-wiki == Xbox Post-Mortems by developers == * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [https://web-beta.archive.org/web/20010827184126/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] cd6c1989f21aaa0fee4cf9b87d7c3d52492caaf5 0 3707 6484 6109 2018-08-23T21:22:36Z DaveX 2487 /* Partitionstable extended with Device Object Names */ wikitext text/x-wiki The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure | N/A |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition3 |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition4 |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition5 |- | C | System | 0x8ca80000 | 0x1f400000 | FATX | \Device\Harddisk0\Partition2 |- | E | Data | 0xabe80000 | 0x131f00000 | FATX | \Device\Harddisk0\Partition1 |} ::::::::::::::::::::::''side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"'' ::::::::::::::::::::::''and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"'' :::::::::::::::::::::::::&nbsp;&nbsp;&nbsp;''added Drive "G:" <=> "\Device\Harddisk0\Partition7"'' '''Debug/Devkit HDD:''' {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] |- |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] adcea481f0b44e71fcc8d982e4c2f1d917262d4c 2 3958 6485 2018-08-25T12:57:43Z Grovespaz 2503 Created page with "This is just a test page" wikitext text/x-wiki This is just a test page 9720e4f71aa95c2438db129bde8aa60eb3e25eed 2 3959 6486 2018-08-25T23:56:10Z Grovespaz 2503 Initial creation based on nxdk ntoskrnl.h wikitext text/x-wiki AvGetSavedDataAddress is an export in the [[Kernel|Xbox Kernel]]. It has ordinal 1. == Description == No documentation exists currently AvGetSavedDataAddress returns '''PVOID'''. This export does not seem to occur in Windows NT Kernels and is thus probably Xbox specific. 244460fccca6b9dfe25aa6668797707e49ebc93d 6487 6486 2018-08-26T00:36:51Z Grovespaz 2503 Initial creation based on nxdk ntoskrnl.h wikitext text/x-wiki {{KernelExport|name=AvGetSavedDataAddress|ordinal=1}} <!-- Please add documentation here --> == Syntax == <nowiki>XBAPI PVOID NTAPI AvGetSavedDataAddress(void);</nowiki> == Return Value == AvGetSavedDataAddress returns '''PVOID'''. db060077f59a72a2dbcb0306e61601d664087efe 10 3960 6488 2018-08-26T00:38:14Z Grovespaz 2503 Created page with "{{{name}}} is an export in the [[Kernel|Xbox Kernel]]. It has ordinal {{{ordinal}}}." wikitext text/x-wiki {{{name}}} is an export in the [[Kernel|Xbox Kernel]]. It has ordinal {{{ordinal}}}. adce1ea4fc044ee57f0ac66360ed1f11769fcd3d 2 3961 6489 2018-08-26T00:48:47Z Grovespaz 2503 Initial creation based on ntoskrnl.h wikitext text/x-wiki Test 640ab2bae07bedc4c163f679a746f7ab7fb5d1fa 6497 6489 2018-09-01T07:58:44Z Grovespaz 2503 wikitext text/x-wiki {{KernelExport|name=MmIsAddressValid|ordinal=174}} Checks whether a page fault would occur for a read operation on a specified address. The original Windows NT function is documented in the MSDN: [https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-mmisaddressvalid MmIsAddressValid] == Syntax == <nowiki>XBAPI BOOLEAN NTAPI MmIsAddressValid ( IN PVOID VirtualAddress );</nowiki> == Parameters == === VirtualAddress === The virtual address to be checked. == Return Value == MmIsAddressValid returns '''BOOLEAN''': TRUE if a page fault would occur, FALSE if not.. e3c10f5c9340960e2067f4081ff65a45de42bb37 2 3962 6495 2018-09-01T07:55:52Z Grovespaz 2503 Created page with "{{KernelExport|name=RtlFillMemory|ordinal=284}} Fills a specified memory area with repetitions of a ULONG value == Syntax == <nowiki>XBAPI VOID NTAPI RtlFillMemoryUlong (..." wikitext text/x-wiki {{KernelExport|name=RtlFillMemory|ordinal=284}} Fills a specified memory area with repetitions of a ULONG value == Syntax == <nowiki>XBAPI VOID NTAPI RtlFillMemoryUlong ( PVOID Destination, SIZE_T Length, ULONG Pattern );</nowiki> The original Windows NT function is documented in the MSDN: [https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-rtlfillmemory RtlFillMemory] == Parameters == === Destination (PVOID) === A pointer to the (ULONG-aligned) memory block which is to be filled === Length (SIZE_T) === The length of the memory block which is to be filled === Pattern (ULONG) === The ULONG-value with which the memory block will be filled == Return Value == RtlFillMemory returns '''VOID'''. 299f4912223dbf7e88e28ff074d9c5bb33274b4d 2 3963 6496 2018-09-01T07:56:27Z Grovespaz 2503 Created page with "{{KernelExport|name=XeUnloadSection|ordinal=328}} Decrements the reference count of the section and unloads it if the reference count reaches zero. == Syntax == <nowiki>XBAP..." wikitext text/x-wiki {{KernelExport|name=XeUnloadSection|ordinal=328}} Decrements the reference count of the section and unloads it if the reference count reaches zero. == Syntax == <nowiki>XBAPI NTSTATUS NTAPI XeUnloadSection ( IN OUT PXBEIMAGE_SECTION Section );</nowiki> == Parameters == === Section (PXBEIMAGE_SECTION) === Direction: IN OUT The section to be unloaded. == Return Value == XeUnloadSection returns '''NTSTATUS''': STATUS_SUCCESS or the error.. 25bbd5d2c8b193c9329c227892bd5085055a303e 2 3964 6498 2018-09-01T08:03:16Z Grovespaz 2503 Created page with "{{KernelExport|name=RtlUpcaseUnicodeToMultiByteN|ordinal=315}} <!-- Please add documentation here --> The original Windows NT function is documented in the MSDN: [https://doc..." wikitext text/x-wiki {{KernelExport|name=RtlUpcaseUnicodeToMultiByteN|ordinal=315}} <!-- Please add documentation here --> The original Windows NT function is documented in the MSDN: [https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-rtlupcaseunicodetomultibyten RtlUpcaseUnicodeToMultiByteN] == Syntax == <nowiki>XBAPI NTSTATUS NTAPI RtlUpcaseUnicodeToMultiByteN ( PCHAR MultiByteString, ULONG MaxBytesInMultiByteString, PULONG BytesInMultiByteString, PWSTR UnicodeString, ULONG BytesInUnicodeString );</nowiki> == Parameters == === MultiByteString === === MaxBytesInMultiByteString === === BytesInMultiByteString === === UnicodeString === === BytesInUnicodeString === == Return Value == RtlUpcaseUnicodeToMultiByteN returns '''NTSTATUS'''. 181d15341f6aa83cceaddbe6dddb875a4844de0a 2 3963 6499 6496 2018-09-01T08:07:31Z Grovespaz 2503 wikitext text/x-wiki {{KernelExport|name=XeUnloadSection|ordinal=328}} Decrements the reference count of the section and unloads it if the reference count reaches zero. == Syntax == <nowiki>XBAPI NTSTATUS NTAPI XeUnloadSection ( IN OUT PXBEIMAGE_SECTION Section );</nowiki> == Parameters == === Section === The section to be unloaded. == Return Value == XeUnloadSection returns '''NTSTATUS''': STATUS_SUCCESS or the error.. d3c5f86675a0931214e06a6fd6886ee03a390f65 0 3751 6500 6494 2018-09-01T23:34:21Z JayFoxRox 2 List my 2 most promising findings from the past week of exploit experiments wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] a12d87474fb93e47d0a27937aa14536c0eb8d09d 6501 6500 2018-09-01T23:37:34Z JayFoxRox 2 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 19846af6d44c275b960b9d45a94498dae557f568 6519 6501 2018-09-12T18:17:01Z DaveX 2487 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] d08d41ac23295e5e26fc2d70ccdabeb871175fe0 6538 6519 2018-09-27T13:53:01Z JayFoxRox 2 Added DVD Dongle "Hacking!" section from Xbox-Linux wiki wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 855885d71c2f70a4fe31dd4e37b26468be219a72 0 3742 6502 6375 2018-09-02T07:33:37Z KaosEngineer 2482 Language and value stored in the configuration EEPROM (little endian LeastSigByte at offset 0x90 is the only byte with a non-0x00 value). wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID * English 0x01 0x00 0x00 0x00 * Japanese 0x02 0x00 0x00 0x00 * German 0x03 0x00 0x00 0x00 * French 0x04 0x00 0x00 0x00 * Spanish 0x05 0x00 0x00 0x00 * Italian 0x06 0x00 0x00 0x00 * Korean 0x07 0x00 0x00 0x00 * Chinese 0x08 0x00 0x00 0x00 * Portuguese 0x09 0x00 0x00 0x00 |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; const uint32_t num_dwords = section_data_length >> 2; uint64_t checksum = 0; uint32_t carry_count = 0; for(uint32_t loop_count = num_dwords; loop_count > 0; loop_count--) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 32c32de8a262d61ae88ca87004713bc7781eeb46 6503 6502 2018-09-02T07:41:15Z KaosEngineer 2482 Reformatted values into a table instead of bullet point list. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) 1 byte at offset 0x90 data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Language !! EEPROM Value @ 0x90 |- | English | 0x01 |- | Japanese | 0x02 |- | German | 0x03 |- | French | 0x04 |- | Spanish | 0x05 |- | Italian | 0x06 |- | Korean | 0x07 |- | Chinese | 0x08 |- | Portuguese | 0x09 |} |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; const uint32_t num_dwords = section_data_length >> 2; uint64_t checksum = 0; uint32_t carry_count = 0; for(uint32_t loop_count = num_dwords; loop_count > 0; loop_count--) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] b5287d7eb441ef5e8be27fba8030838549e6fe04 0 3671 6504 5829 2018-09-02T21:33:32Z DaveX 2487 added note about the PC speaker wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. The MCPX is also the home to the secret [[MCPX ROM]]. And it's also the home of the famous PC Speaker Signal. <br \> One just has to solder a Speaker on (MXPC pin L21) and it can be used just like on the PC.<br \> For some test code see [https://github.com/0DaveX/beep/ https://github.com/0DaveX/beep/] [[File:XboxWithPcSpkr.jpg]] <br \> [[File:SolderPoints.jpg]] 5c3dddb880f4e79c9e757abb110addb6ed0a7dad 6505 6504 2018-09-02T21:55:26Z DaveX 2487 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. The MCPX is also the home to the secret [[MCPX ROM]]. And it's also the home of the famous PC Speaker Signal. <br \> One just has to solder a Speaker on (MXPC pin L21) and it can be used just like on the PC.<br \> For some test code see [https://github.com/0DaveX/beep/ https://github.com/0DaveX/beep/] [[File:XboxWithPcSpkr.jpg]] <br \> [[File:XboxPcSpkrSolderPoints.jpg]] ee092e6d0891e0e947d17c30a48dc4acebfe065d 6506 6505 2018-09-03T01:23:47Z DaveX 2487 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. The MCPX is also the home to the secret [[MCPX ROM]]. And it's also the home of the famous PC Speaker Signal. <br \> One just has to solder a Speaker on (MCPX pin L21) and it can be used just like on the PC.<br \> For some test code see [https://github.com/0DaveX/beep/ https://github.com/0DaveX/beep/] [[File:XboxWithPcSpkr.jpg]] <br \> [[File:XboxPcSpkrSolderPoints.jpg]] cd452ee5426ccfb18a86a732380e87f4809e4962 6509 6506 2018-09-03T19:57:12Z JayFoxRox 2 More technical wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. === ROM === The MCPX is home to the secret [[MCPX ROM]]. === Pin L21: PC Speaker === The MCPX has PC Speaker pin which can be controlled using [the standard PC Speaker interface https://wiki.osdev.org/PC_Speaker]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. [[File:XboxWithPcSpkr.jpg]] <br \> [[File:XboxPcSpkrSolderPoints.jpg]] 1e622d45792d47fa155b90d7d8e78d17ef89fe4a 6529 6509 2018-09-16T21:01:47Z DaveX 2487 /* Pin L21: PC Speaker */ wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. === ROM === The MCPX is home to the secret [[MCPX ROM]]. === Pin L21: PC Speaker === The MCPX has PC Speaker pin which can be controlled using [the standard PC Speaker interface https://wiki.osdev.org/PC_Speaker]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. [[File:XboxWithPcSpkr.jpg|left|500px]] <br \> [[File:XboxPcSpkrSolderPoints.jpg|left|500px]] 3de6480b1ca6c841ba8fe0bcaa83b4f3ff6698f3 6530 6529 2018-09-18T22:12:24Z DaveX 2487 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. === ROM === The MCPX is home to the secret [[MCPX ROM]]. === Pin L21: PC Speaker === The MCPX has PC Speaker pin which can be controlled using [the standard PC Speaker interface https://wiki.osdev.org/PC_Speaker]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. [[File:XboxWithPcSpkr.jpg|left|500px]] <br \> [[File:XboxPcSpkrTrace.jpg|left|500px]] <br \> [[File:XboxPcSpkrSolderPoints.jpg|left|500px]] e0853fb5482a637c77080aaf5d3effb3d9cd3e42 6532 6530 2018-09-18T22:28:02Z JayFoxRox 2 Fix link again wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. === ROM === The MCPX is home to the secret [[MCPX ROM]]. === Pin L21: PC Speaker === The MCPX has PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. [[File:XboxWithPcSpkr.jpg|left|500px]] <br \> [[File:XboxPcSpkrTrace.jpg|left|500px]] <br \> [[File:XboxPcSpkrSolderPoints.jpg|left|500px]] d705c28a4bd4a2e78a43caad9262148c36bdc589 6533 6532 2018-09-18T23:36:26Z DaveX 2487 /* Pin L21: PC Speaker */ wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. === ROM === The MCPX is home to the secret [[MCPX ROM]]. === Pin L21: PC Speaker === The MCPX has PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. <gallery mode="slideshow"> Image:XboxWithPcSpkr.jpg|''[[commons:Astronotus ocellatus|Astronotus ocellatus]]'' (Oscar) Image:XboxPcSpkrTrace.jpg|''[[commons:Salmo salar|Salmo salar]]'' (Salmon Larva) Image:XboxPcSpkrSolderPoints.jpg|''[[commons:Epinephelus lanceolatus|Epinephelus lanceolatus]]'' (Giant grouper) </gallery> dabc7df5c897647c424e333e4b64126b85f068a3 6534 6533 2018-09-18T23:42:10Z DaveX 2487 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. === ROM === The MCPX is home to the secret [[MCPX ROM]]. === Pin L21: PC Speaker === The MCPX has PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. <gallery mode="slideshow"> Image:XboxWithPcSpkr.jpg|'' '' Image:XboxPcSpkrTrace.jpg|'' '' Image:XboxPcSpkrSolderPoints.jpg|'' '' </gallery> 892942744274f80571f106cf29dec9adda00c63b 0 3821 6507 6356 2018-09-03T17:26:39Z Codeasm 2480 /* Resources */ changed to working link. wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding witch files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and posibly potencial faults that could occur. The Hardware required for this where a Developement kit (with the DVD emulation board) a sort of scsi cable and a XDK-Raptor card.{{citation needed}} The complete kit, a Raptor PCI Scsi card and Hardisk was numbered: 940-75004 Rev.01 two or more versions of the PCI scsi card are known: * 700-75307 Rev.01 * 700-75307 Rev 03 [https://assemblergames.com/threads/sealed-xbox-raptor-card-for-xdk-dvd-emu.41763/ Assemblergames](posibly same as rev1?) The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. For development it wasnt the fastest way to get an executable to the xbox, and for homebrew its pretty useless.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} == Resources == * [https://imgur.com/a/ROMYa Images (CC0 License) by Codeasm with detailed shots of the DVD emulation board and serial board] fc71cfdcf511601929866b89bf7c6a332e9755ec 0 3692 6508 6406 2018-09-03T18:59:52Z JayFoxRox 2 /* Wireless adapter */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == System Link == {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] b12986155da97ea33a873d6b156fe1150314aeee 6540 6508 2018-10-02T23:43:34Z JayFoxRox 2 /* System Link */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == System Link == === Secured traffic === Xbox network traffic is secured through [[wikipedia:IPSec|IPSec]]. The implementation appears to be similar to [https://tools.ietf.org/html/rfc3948#section-2.1|RFC 3498, Section 2.1] from 2005 which was co-authored by Microsoft. The protocol uses UDP port 3074 which is also registered with the IANA for use in the Xbox[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=3074]. Each Xbox uses the IP 0.0.0.1, so addressing relies on MAC-addresses{{FIXME|reason=Confirm this}}. The specific implementation in the Xbox uses TripleDES ([https://tools.ietf.org/html/rfc1851|RFC 1851]) for encryption, and SHA1-96 as [[wikipedia:HMAC|HMAC]]. ==== Key derivation ==== The following keys are involved in generating the actual network crypto-keys: * XboxLANKey (Kernel export) * Game specific LAN Key (XBE Certificate Header) The algorithm to generate the final keys, is this: <pre> LAN-Hash_1 = HMAC(XboxLANKey, concatenate(0x00, XBE-LAN-Key)) LAN-Hash_2 = HMAC(XboxLANKey, concatenate(0x01, XBE-LAN-Key)) LAN-Hash = concatenate(LAN-Hash_1, LAN-Hash_2) LAN-SHA = LAN-Hash_0_to_15 LAN-DES = XcDESKeyParity(LAN-Hash_16_to_39) </pre> [[Kernel/XcDESKeyParity|XcDESKeyParity]] is the same as the respective function in the Xbox kernel. ==== Broadcast messages ==== Because no security association exists for broadcast messages, these are handled differently. A common use case for broadcast messages is a server announce request / response. Broadcast messages are send to 255.255.255.255 (MAC-address: FF:FF:FF:FF:FF:FF) using SPI 0xFFFFFFFF and Sequence Number 0xFFFFFFFF. A random IV is chosen, but nothing prevents re-using an IV. ==== Security association ==== Most messages require an SA between devices{{FIXME|reason=Look into this}}. === XDK API === {{FIXME|reason=This probably shouldn't be here? there should be dedicated articles for the XDK APIs}} {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |} == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Matchmaking servers === === Game servers === === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Xbox Live Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |- | | |- | | |- | | |- | | |- | | |- | | |- | | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] 59c95a67b5c79aed7a69274518d32825a211ff08 6546 6540 2018-10-04T19:05:32Z JayFoxRox 2 Section moved to Xbox Live article due to significance and for possible growth wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == System Link == === Secured traffic === Xbox network traffic is secured through [[wikipedia:IPSec|IPSec]]. The implementation appears to be similar to [https://tools.ietf.org/html/rfc3948#section-2.1|RFC 3498, Section 2.1] from 2005 which was co-authored by Microsoft. The protocol uses UDP port 3074 which is also registered with the IANA for use in the Xbox[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=3074]. Each Xbox uses the IP 0.0.0.1, so addressing relies on MAC-addresses{{FIXME|reason=Confirm this}}. The specific implementation in the Xbox uses TripleDES ([https://tools.ietf.org/html/rfc1851|RFC 1851]) for encryption, and SHA1-96 as [[wikipedia:HMAC|HMAC]]. ==== Key derivation ==== The following keys are involved in generating the actual network crypto-keys: * XboxLANKey (Kernel export) * Game specific LAN Key (XBE Certificate Header) The algorithm to generate the final keys, is this: <pre> LAN-Hash_1 = HMAC(XboxLANKey, concatenate(0x00, XBE-LAN-Key)) LAN-Hash_2 = HMAC(XboxLANKey, concatenate(0x01, XBE-LAN-Key)) LAN-Hash = concatenate(LAN-Hash_1, LAN-Hash_2) LAN-SHA = LAN-Hash_0_to_15 LAN-DES = XcDESKeyParity(LAN-Hash_16_to_39) </pre> [[Kernel/XcDESKeyParity|XcDESKeyParity]] is the same as the respective function in the Xbox kernel. ==== Broadcast messages ==== Because no security association exists for broadcast messages, these are handled differently. A common use case for broadcast messages is a server announce request / response. Broadcast messages are send to 255.255.255.255 (MAC-address: FF:FF:FF:FF:FF:FF) using SPI 0xFFFFFFFF and Sequence Number 0xFFFFFFFF. A random IV is chosen, but nothing prevents re-using an IV. ==== Security association ==== Most messages require an SA between devices{{FIXME|reason=Look into this}}. === XDK API === {{FIXME|reason=This probably shouldn't be here? there should be dedicated articles for the XDK APIs}} {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |} == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] e7995e4178b03e7ea19285381745fc14d8992ae7 6548 6546 2018-10-04T19:07:52Z JayFoxRox 2 Moved to System Link article, as it is signifcant and will likely grow in the future wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventualy an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The Xbox has a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. Port 3074 UDP/TCP is reserved for Xbox communications. == Hardware == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox Linux team used the binary drivers from Nvidia. === Wireless adapter === based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == Heartbeat == Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] a6b481c82745866cc465bde09e707779bb96890d 0 3731 6510 5375 2018-09-05T23:48:39Z Ernegien 2491 wikitext text/x-wiki {{Game}} ===Debugging=== To enable debugging of the original NTSC version with xbdm (be sure to use the retail xbdm version 5455 if on a retail box due to low memory constraints) replace the single instance of <code>6A 00 FF 74 24 08 E8 35</code> with <code>33 C0 40 C2 04 00 E8 35</code> in the default.xbe which will skip a call to <code>XnTerm</code>. 28e3b9b08373f4ec51880e98c15a34d84d8b7dd5 6544 6510 2018-10-03T00:24:02Z JayFoxRox 2 Add some of my notes regarding protocol wikitext text/x-wiki {{Game}} === Debugging === To enable debugging of the original NTSC version with xbdm (be sure to use the retail xbdm version 5455 if on a retail box due to low memory constraints) replace the single instance of <code>6A 00 FF 74 24 08 E8 35</code> with <code>33 C0 40 C2 04 00 E8 35</code> in the default.xbe which will skip a call to <code>XnTerm</code>. === System-Link protocol === The messages are encapsulated in Xbox secured network traffic. <pre> enum GameMode { CTF = 0, Slayer = 1, Oddball = 2, King = 3, Race = 4 }; </pre> ==== Server announce request ==== This is a broadcast message from UDP Port 5151 to port 5150. The packet is 16 bytes long. <pre> b'\x01\x0c\x01\x14\x1f\x00\x01zLa(\xe9\x03\xfc\xf7\x00' # Python string </pre> ==== Server announce response ==== This is a broadcast message from UDP Port 5150 to port 5151. The packet is 280 bytes long. <pre> struct { ... // assert(udp_payload[43:47] == bytes([0x0C,0x00,0x00,0x50])); uint32_t unk47; // +47 uint32_t unk51; // +51 uint16_t unk55; // +55 uint32_t unk57; // +57 wchar_t server_name[62]; // +61 Only 15 symbols will be displayed char map_path[128]; // +123 ... uint16_t game_mode; // +251 uint16_t unk253; // +253 uint16_t player_count; // +255 uint16_t unk257; // +257 uint16_t game_mode_parameter; // +259 // 1 = game in progress // 2 = accepting players (takes priority over "game in progress") // 4 = team game (otherwise: free for all) // If neither 1 or 2 is provided, then the game is "(closed)" uint16_t flags; // +261 char weird[16]; // +263 contains ASCII string "$;$Dage in a bot" uint8_t unk279; // +279 }; </pre> 319951e51cef13203744f05484387ab52d780d6c 0 3965 6511 2018-09-06T03:05:46Z Root670 2504 Created page with "The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The not..." wikitext text/x-wiki The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The notes gathered here are from decompiling StDB.dll from ''Xbox Soundtrack Manager''. == Folder Structure == All soundtrack related data is stored in E:\TDATA\fffe0000. Songs are organized into groups of folders containing up to 6 WMA files. Zero-padded 4 decimal integers are used for the folder names, and zero-padded 8 decimal integers are used for the WMA file names. Metadata such as song title and which soundtrack a song belongs to is stored in the ST.DB file == ST.DB == The ST.DB file contains information about soundtracks loaded on the Xbox. Up to 100 soundtracks with 500 songs each can be used. Each header and struct described below is padded to 512 bytes. File Layout: <pre>(start of file) 0000 Main Header 0200 Soundtrack Struct 1 0400 [Soundtrack Struct 2] ... CA00 Song Group 1 CC00 [Song Group 2] ... (end of file) </pre> === Main Header === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x01 0x00 0x00 0x00 |- | int32 | numSoundtracks | |- | int32 | nextSoundtrackId | |- | int32 | soundtrackIds[100] | |- | int32 | nextSongId | |- | char | padding[96] | |} === Soundtrack Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x71 0x13 0x02 0x00 |- | int32 | id | |- | int32 | numSongGroups | |- | int32 | songGroupIds | |- | int32 | totalTimeMilliseconds | |- | wchar | name[64] | Unicode string |- | char | padding[64] | |} === Song Group Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x73 0x10 0x03 0x00 |- | int32 | soundtrackId | |- | int32 | id | |- | int32 | padding | |- | Song Struct | songs[6] | |- | char | padding[64] | |} === Song Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | id | |- | int32 | timeMilliseconds | |- | wchar | name[64] | Unicode string |- | char | padding[64] | |} == Default Encoding Settings == These are the encoding settings used by the dashboard when encoding WMA files: {| class="wikitable" ! Key ! Value |- | Format | WMA Version 2 |- | Codec Description | Windows Media Audio V8 |- | Encoding Tool | Windows Media Encoding Utility 8.0.0.403 |- | Bit Rate | 128 kbps |- | Channels | 2 |- | Sampling Rate | 44.1 kHz |- | Bit Depth | 16 bit |} The track number is added to the metadata. 668039349abf9ce55b86b3487f12b836a977d5eb 6515 6511 2018-09-07T02:39:25Z Root670 2504 /* ST.DB */ Corrected song storage in the song group struct and type of numSongGroups in the soundtrack struct. wikitext text/x-wiki The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The notes gathered here are from decompiling StDB.dll from ''Xbox Soundtrack Manager''. == Folder Structure == All soundtrack related data is stored in E:\TDATA\fffe0000. Songs are organized into groups of folders containing up to 6 WMA files. Zero-padded 4 decimal integers are used for the folder names, and zero-padded 8 decimal integers are used for the WMA file names. Metadata such as song title and which soundtrack a song belongs to is stored in the ST.DB file == ST.DB == The ST.DB file contains information about soundtracks loaded on the Xbox. Up to 100 soundtracks with 500 songs each can be used. Each header and struct described below is padded to 512 bytes. File Layout: <pre>(start of file) 0000 Main Header 0200 Soundtrack Struct 1 0400 [Soundtrack Struct 2] ... CA00 Song Group 1 CC00 [Song Group 2] ... (end of file) </pre> === Main Header === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x01 0x00 0x00 0x00 |- | int32 | numSoundtracks | |- | int32 | nextSoundtrackId | |- | int32 | soundtrackIds[100] | |- | int32 | nextSongId | |- | char | padding[96] | |} === Soundtrack Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x71 0x13 0x02 0x00 |- | int32 | id | |- | uint32 | numSongGroups | |- | int32 | songGroupIds | |- | int32 | totalTimeMilliseconds | |- | wchar | name[64] | Unicode string |- | char | padding[64] | |} === Song Group Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x73 0x10 0x03 0x00 |- | int32 | soundtrackId | |- | int32 | id | |- | int32 | padding | |- | int32 | songId[6] | |- | int32 | songTimeMilliseconds[6] | |- | wchar | songName[384] | 6 Unicode strings, each padded to 64 characters |- | char | padding[64] | |} == Default Encoding Settings == These are the encoding settings used by the dashboard when encoding WMA files: {| class="wikitable" ! Key ! Value |- | Format | WMA Version 2 |- | Codec Description | Windows Media Audio V8 |- | Encoding Tool | Windows Media Encoding Utility 8.0.0.403 |- | Bit Rate | 128 kbps |- | Channels | 2 |- | Sampling Rate | 44.1 kHz |- | Bit Depth | 16 bit |} The track number is added to the metadata. 75c847aa72bf971ac37ad67096dcb08bc4369cae 6516 6515 2018-09-09T02:47:50Z JayFoxRox 2 Marked unicode with FIXME regarding encoding; Marked confusing magic values with FIXME regarding endianess / type wikitext text/x-wiki The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The notes gathered here are from decompiling StDB.dll from ''Xbox Soundtrack Manager''. == Folder Structure == All soundtrack related data is stored in E:\TDATA\fffe0000. Songs are organized into groups of folders containing up to 6 WMA files. Zero-padded 4 decimal integers are used for the folder names, and zero-padded 8 decimal integers are used for the WMA file names. Metadata such as song title and which soundtrack a song belongs to is stored in the ST.DB file == ST.DB == The ST.DB file contains information about soundtracks loaded on the Xbox. Up to 100 soundtracks with 500 songs each can be used. Each header and struct described below is padded to 512 bytes. File Layout: <pre>(start of file) 0000 Main Header 0200 Soundtrack Struct 1 0400 [Soundtrack Struct 2] ... CA00 Song Group 1 CC00 [Song Group 2] ... (end of file) </pre> === Main Header === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x01 0x00 0x00 0x00 {{FIXME|reason=Is this 0x00000001 or 0x01000000 when read as int32_t via CPU? Is the type int32_t or uint8_t[4]?}} |- | int32 | numSoundtracks | |- | int32 | nextSoundtrackId | |- | int32 | soundtrackIds[100] | |- | int32 | nextSongId | |- | char | padding[96] | |} === Soundtrack Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x71 0x13 0x02 0x00 {{FIXME|reason=Is this 0x00021371 or 0x71130200 when read as int32_t via CPU? Is the type int32_t or uint8_t[4]?}} |- | int32 | id | |- | uint32 | numSongGroups | |- | int32 | songGroupIds | |- | int32 | totalTimeMilliseconds | |- | wchar | name[64] | Unicode{{FIXME|reason=Encoding? UCS-2?}} string |- | char | padding[64] | |} === Song Group Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x73 0x10 0x03 0x00 {{FIXME|reason=Is this 0x00031073 or 0x73100300 when read as int32_t via CPU? Is the type int32_t or uint8_t[4]?}} |- | int32 | soundtrackId | |- | int32 | id | |- | int32 | padding | |- | int32 | songId[6] | |- | int32 | songTimeMilliseconds[6] | |- | wchar | songName[384] | 6 Unicode{{FIXME|reason=Encoding? UCS-2?}} strings, each padded to 64 characters |- | char | padding[64] | |} == Default Encoding Settings == These are the encoding settings used by the dashboard when encoding WMA files: {| class="wikitable" ! Key ! Value |- | Format | WMA Version 2 |- | Codec Description | Windows Media Audio V8 |- | Encoding Tool | Windows Media Encoding Utility 8.0.0.403 |- | Bit Rate | 128 kbps |- | Channels | 2 |- | Sampling Rate | 44.1 kHz |- | Bit Depth | 16 bit |} The track number is added to the metadata. 0af114f9c0bdc28bc6cb6507f7450c81d908a4d4 6520 6516 2018-09-16T15:57:37Z Root670 2504 Clarified endianness for values in main header and structs. wikitext text/x-wiki The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The notes gathered here are from decompiling StDB.dll from ''Xbox Soundtrack Manager''. == Folder Structure == All soundtrack related data is stored in E:\TDATA\fffe0000. Songs are organized into groups of folders containing up to 6 WMA files. Zero-padded 4 decimal integers are used for the folder names, and zero-padded 8 decimal integers are used for the WMA file names. Metadata such as song title and which soundtrack a song belongs to is stored in the ST.DB file == ST.DB == The ST.DB file contains information about soundtracks loaded on the Xbox. Up to 100 soundtracks with 500 songs each can be used. Each header and struct described below is padded to 512 bytes. File Layout: <pre>(start of file) 0000 Main Header 0200 Soundtrack Struct 1 0400 [Soundtrack Struct 2] ... CA00 Song Group 1 CC00 [Song Group 2] ... (end of file) </pre> === Main Header === All values are little-endian. {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00000001 |- | int32 | numSoundtracks | |- | int32 | nextSoundtrackId | |- | int32 | soundtrackIds[100] | |- | int32 | nextSongId | |- | char | padding[96] | |} === Soundtrack Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00021371 |- | int32 | id | |- | uint32 | numSongGroups | |- | int32 | songGroupIds | |- | int32 | totalTimeMilliseconds | |- | wchar | name[64] | Unicode{{FIXME|reason=Encoding? UCS-2?}} string |- | char | padding[64] | |} === Song Group Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00031073 |- | int32 | soundtrackId | |- | int32 | id | |- | int32 | padding | |- | int32 | songId[6] | |- | int32 | songTimeMilliseconds[6] | |- | wchar | songName[384] | 6 Unicode{{FIXME|reason=Encoding? UCS-2?}} strings, each padded to 64 characters |- | char | padding[64] | |} == Default Encoding Settings == These are the encoding settings used by the dashboard when encoding WMA files: {| class="wikitable" ! Key ! Value |- | Format | WMA Version 2 |- | Codec Description | Windows Media Audio V8 |- | Encoding Tool | Windows Media Encoding Utility 8.0.0.403 |- | Bit Rate | 128 kbps |- | Channels | 2 |- | Sampling Rate | 44.1 kHz |- | Bit Depth | 16 bit |} The track number is added to the metadata. 0fb36a9eac1881c22316661080897288dfd081d4 6521 6520 2018-09-16T15:59:49Z Root670 2504 /* ST.DB */ Move endianness note to beginning of ST.DB section. wikitext text/x-wiki The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The notes gathered here are from decompiling StDB.dll from ''Xbox Soundtrack Manager''. == Folder Structure == All soundtrack related data is stored in E:\TDATA\fffe0000. Songs are organized into groups of folders containing up to 6 WMA files. Zero-padded 4 decimal integers are used for the folder names, and zero-padded 8 decimal integers are used for the WMA file names. Metadata such as song title and which soundtrack a song belongs to is stored in the ST.DB file == ST.DB == The ST.DB file contains information about soundtracks loaded on the Xbox. Up to 100 soundtracks with 500 songs each can be used. Each header and struct described below is padded to 512 bytes, and all values are stored as little-endian. '''File Layout:''' <pre>(start of file) 0000 Main Header 0200 Soundtrack Struct 1 0400 [Soundtrack Struct 2] ... CA00 Song Group 1 CC00 [Song Group 2] ... (end of file) </pre> === Main Header === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00000001 |- | int32 | numSoundtracks | |- | int32 | nextSoundtrackId | |- | int32 | soundtrackIds[100] | |- | int32 | nextSongId | |- | char | padding[96] | |} === Soundtrack Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00021371 |- | int32 | id | |- | uint32 | numSongGroups | |- | int32 | songGroupIds | |- | int32 | totalTimeMilliseconds | |- | wchar | name[64] | Unicode{{FIXME|reason=Encoding? UCS-2?}} string |- | char | padding[64] | |} === Song Group Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00031073 |- | int32 | soundtrackId | |- | int32 | id | |- | int32 | padding | |- | int32 | songId[6] | |- | int32 | songTimeMilliseconds[6] | |- | wchar | songName[384] | 6 Unicode{{FIXME|reason=Encoding? UCS-2?}} strings, each padded to 64 characters |- | char | padding[64] | |} == Default Encoding Settings == These are the encoding settings used by the dashboard when encoding WMA files: {| class="wikitable" ! Key ! Value |- | Format | WMA Version 2 |- | Codec Description | Windows Media Audio V8 |- | Encoding Tool | Windows Media Encoding Utility 8.0.0.403 |- | Bit Rate | 128 kbps |- | Channels | 2 |- | Sampling Rate | 44.1 kHz |- | Bit Depth | 16 bit |} The track number is added to the metadata. 1bae66fb7bb186c9c3cf01c7a812775dcc142947 0 1 6512 6435 2018-09-06T03:10:41Z Root670 2504 /* System Software */ Add link to Soundtracks page. wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Network]] * [[Patents]] * Find random stuff in [[Resources]] bd91ce41b78ad5ebadf7bf393668ce912e5fa202 0 3772 6513 6470 2018-09-06T03:11:50Z Root670 2504 /* See Also */ Add link to Soundtracks page. wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press {{input-y}}, {{input-x}} while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press "INFO" button on the DVD Playback Kit remote. Only visible with DVD Playback Kit and Remote: #Start playing a song using either the Xbox controller or playback kit remote. #Press {{input-y}}, {{input-x}} on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield{{FIXME|reason=replace lengthy explanation with a video of this}}. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == [[Hard Drive Files]] [[Soundtracks]] 43b4379ffe5d76f19462eb18f099657a917dfc7e 6514 6513 2018-09-06T03:12:31Z Root670 2504 /* See Also */ Format as list. wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press {{input-y}}, {{input-x}} while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press "INFO" button on the DVD Playback Kit remote. Only visible with DVD Playback Kit and Remote: #Start playing a song using either the Xbox controller or playback kit remote. #Press {{input-y}}, {{input-x}} on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield{{FIXME|reason=replace lengthy explanation with a video of this}}. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == * [[Hard Drive Files]] * [[Soundtracks]] 04eaa6799ffe0a3adcd15f1dfe50d149130e9909 0 3720 6517 5309 2018-09-10T17:06:42Z JayFoxRox 2 Add Shrek deferred rendering information wikitext text/x-wiki {{Game}} === Deferred Rendering === [[File:shrek-albedo.png|thumb|Albedo]] [[File:shrek-normals.png|thumb|Normals]] [[File:shrek-unk0.png|thumb|Lighting pass{{FIXME|reason=Might be something else}}]] [[File:shrek-unk1.png|thumb|Lighting pass{{FIXME|reason=Might be something else}}]] [[File:shrek-final.png|thumb|Final composition]] Shrek uses [[wikipedia:Deferred Rendering]]. Rich Geldreich, a developer of the game, has written multiple articles about the topic[https://sites.google.com/site/richgel99/home]. fcb2affa67197d3392148895c6e9ae3ed5afbeae 6518 6517 2018-09-10T17:09:51Z JayFoxRox 2 Make wikipedia link appear correctly wikitext text/x-wiki {{Game}} === Deferred Rendering === [[File:shrek-albedo.png|thumb|Albedo]] [[File:shrek-normals.png|thumb|Normals]] [[File:shrek-unk0.png|thumb|Lighting pass{{FIXME|reason=Might be something else}}]] [[File:shrek-unk1.png|thumb|Lighting pass{{FIXME|reason=Might be something else}}]] [[File:shrek-final.png|thumb|Final composition]] Shrek uses [[wikipedia:Deferred Rendering|Deferred Rendering]]. Rich Geldreich, a developer of the game, has written multiple articles about the topic[https://sites.google.com/site/richgel99/home]. c053cf4b49b8b4114277cd2b326c7fdb90441e72 6 3966 6522 2018-09-16T20:49:34Z DaveX 2487 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3967 6523 2018-09-16T20:50:10Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3968 6524 2018-09-16T20:50:18Z DaveX 2487 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3969 6525 2018-09-16T20:50:24Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3970 6526 2018-09-16T20:50:39Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3971 6527 2018-09-16T20:51:01Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3972 6528 2018-09-16T20:51:18Z JayFoxRox 2 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3973 6531 2018-09-18T22:13:16Z DaveX 2487 Image by Andy Anderson wikitext text/x-wiki Image by Andy Anderson 974ff9e9e318372f0c9ab495bf2aa4a5127b2240 6535 6531 2018-09-19T00:03:19Z DaveX 2487 DaveX uploaded a new version of [[File:XboxPcSpkrTrace.jpg]] wikitext text/x-wiki Image by Andy Anderson 974ff9e9e318372f0c9ab495bf2aa4a5127b2240 0 3768 6536 6174 2018-09-27T13:46:44Z JayFoxRox 2 Add rough protocol information based on lirc configurations wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used // This appears to be some timer which counts down from ~0x9XY // When it reaches 0x0040, it gets reset to 0x0041. // So for very short presses you get high values, and for continously holding // you get a repeating pattern: 0x0040, 0x0041, 0x0040, 0x0041, 0x0040, ... uint8_t timer_low; uint8_t timer_high; }; </pre> ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. === Hacking === As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 7a72ff67186e7ef8f70c0e35543090fb96c87b30 6537 6536 2018-09-27T13:47:17Z JayFoxRox 2 Remove hacking section (will be moved to exploit list) wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used // This appears to be some timer which counts down from ~0x9XY // When it reaches 0x0040, it gets reset to 0x0041. // So for very short presses you get high values, and for continously holding // you get a repeating pattern: 0x0040, 0x0041, 0x0040, 0x0041, 0x0040, ... uint8_t timer_low; uint8_t timer_high; }; </pre> ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 4d55e881074d47ea2de3b44e3dd677e29f94d7ca 6539 6537 2018-09-27T19:10:34Z JayFoxRox 2 /* Infrared signals */ wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 159019c53de04bfa2aae74d23cc47500e5add67a 0 3974 6541 2018-10-02T23:56:38Z JayFoxRox 2 Port from my Python code, but with added comments wikitext text/x-wiki === Pseudocode === <pre> XBAPI VOID NTAPI XcDESKeyParity(IN OUT PUCHAR pbKey, IN ULONG dwKeyLength) { // For each number between 0x0 and 0xF, this tells how many set bits there are. const uint8_t parity_table[] = { 0x00, 0x01, 0x01, 0x02, 0x01, 0x02, 0x02, 0x03, 0x01, 0x02, 0x02, 0x03, 0x02, 0x03, 0x03, 0x04 }; // Count number of set bits in each byte, and flip the lowest bit if there's an even number. // This forces each byte to have odd parity, as required by DES. for(ULONG i = 0; i < dwKeyLength; i++) { high_parity = parity_table[(pbKey[i] >> 4) & 0xF]; low_parity = parity_table[(pbKey[i] >> 0) & 0xF]; if ((high_parity + low_parity) % 2) == 0 { pbKey[i] ^= 0x01; } } return; } </pre> 95f1221231c990fc034a1964cf27fdf643ba7932 6542 6541 2018-10-02T23:58:44Z JayFoxRox 2 wikitext text/x-wiki The ''XcDESKeyParity'' function turns a key into a DES key which requires odd-parity per byte. === Pseudocode === {{FIXME|reason=This should be removed from here, and instead we should just link to an actual implementation of the algorithm}} <pre> XBAPI VOID NTAPI XcDESKeyParity(IN OUT PUCHAR pbKey, IN ULONG dwKeyLength) { // For each number between 0x0 and 0xF, this tells how many set bits there are. const uint8_t parity_table[] = { 0x00, 0x01, 0x01, 0x02, 0x01, 0x02, 0x02, 0x03, 0x01, 0x02, 0x02, 0x03, 0x02, 0x03, 0x03, 0x04 }; // Count number of set bits in each byte, and flip the lowest bit if there's an even number. // This forces each byte to have odd parity, as required by DES. for(ULONG i = 0; i < dwKeyLength; i++) { high_parity = parity_table[(pbKey[i] >> 4) & 0xF]; low_parity = parity_table[(pbKey[i] >> 0) & 0xF]; if ((high_parity + low_parity) % 2) == 0 { pbKey[i] ^= 0x01; } } return; } </pre> bc5b433b65bc3065d49de720c0ec85d3694b1e9e 6543 6542 2018-10-03T00:03:27Z JayFoxRox 2 wikitext text/x-wiki The ''XcDESKeyParity'' function turns a key into a DES key which requires odd-parity per byte. {{FIXME|reason=Mention crypto vector}} === Links === * [https://github.com/Cxbx-Reloaded/Cxbx-Reloaded/blob/f73114df61d943ba73b329a6e4bd6805254af243/src/CxbxKrnl/EmuKrnlXc.cpp#L234 XcDESKeyParity implementation in Cxbx-Reloaded] 5f3bbf2d37fdc231a8a709b8a5a7a7a2159e6966 0 3693 6545 5113 2018-10-04T19:04:56Z JayFoxRox 2 Split from Network article wikitext text/x-wiki == Xbox Live == Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Matchmaking servers === === Game servers === === XDK Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |} 88cff8a1a8aba5c982158e989f0e5c6de6dc296f 0 3975 6547 2018-10-04T19:07:17Z JayFoxRox 2 Split from Network article wikitext text/x-wiki === Secured traffic === Xbox network traffic is secured through [[wikipedia:IPSec|IPSec]]. The implementation appears to be similar to [https://tools.ietf.org/html/rfc3948#section-2.1|RFC 3498, Section 2.1] from 2005 which was co-authored by Microsoft. The protocol uses UDP port 3074 which is also registered with the IANA for use in the Xbox[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=3074]. Each Xbox uses the IP 0.0.0.1, so addressing relies on MAC-addresses{{FIXME|reason=Confirm this}}. The specific implementation in the Xbox uses TripleDES ([https://tools.ietf.org/html/rfc1851|RFC 1851]) for encryption, and SHA1-96 as [[wikipedia:HMAC|HMAC]]. ==== Key derivation ==== The following keys are involved in generating the actual network crypto-keys: * XboxLANKey (Kernel export) * Game specific LAN Key (XBE Certificate Header) The algorithm to generate the final keys, is this: <pre> LAN-Hash_1 = HMAC(XboxLANKey, concatenate(0x00, XBE-LAN-Key)) LAN-Hash_2 = HMAC(XboxLANKey, concatenate(0x01, XBE-LAN-Key)) LAN-Hash = concatenate(LAN-Hash_1, LAN-Hash_2) LAN-SHA = LAN-Hash_0_to_15 LAN-DES = XcDESKeyParity(LAN-Hash_16_to_39) </pre> [[Kernel/XcDESKeyParity|XcDESKeyParity]] is the same as the respective function in the Xbox kernel. ==== Broadcast messages ==== Because no security association exists for broadcast messages, these are handled differently. A common use case for broadcast messages is a server announce request / response. Broadcast messages are send to 255.255.255.255 (MAC-address: FF:FF:FF:FF:FF:FF) using SPI 0xFFFFFFFF and Sequence Number 0xFFFFFFFF. A random IV is chosen, but nothing prevents re-using an IV. ==== Security association ==== Most messages require an SA between devices{{FIXME|reason=Look into this}}. === XDK API === {{FIXME|reason=This probably shouldn't be here? there should be dedicated articles for the XDK APIs}} {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |} 6409934b7e47366b63240faca68ad7f0972b6905 0 3692 6549 6548 2018-10-04T19:16:22Z JayFoxRox 2 Move content around wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation-needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] 599da2ccc469fa0de53e55db6a0eb17f04c1fce9 6550 6549 2018-10-04T19:17:14Z JayFoxRox 2 Used the wrong template name for citation needed wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp https://github.com/grayj/Jedi-Academy/blob/master/codemp/xbox/XBLive.cpp] * [http://discerning.com/pdfbox/test/input/authentication.pdf http://discerning.com/pdfbox/test/input/authentication.pdf] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] cbb30163f442cfba3bfc68d4cb9964335b14bec7 0 3693 6551 6545 2018-10-04T19:19:29Z JayFoxRox 2 Remove topmost section wikitext text/x-wiki Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Matchmaking servers === === Game servers === === XDK Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) | |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |} a739e328856d4c923f5f7ca61bd80a37a4544945 0 1 6552 6512 2018-10-04T19:25:21Z JayFoxRox 2 wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] ** [[Network]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[NVNet|Network Controller (NVNet)]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Patents]] * Find random stuff in [[Resources]] 66745553a92b4ed84ed57c5dc5195e4915c1abf3 6553 6552 2018-10-04T19:26:09Z JayFoxRox 2 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] ** [[Network]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Other == * [[Patents]] * Find random stuff in [[Resources]] 02a0e3ca8d45c4d8977f02f70f9732ca8f9be42f 0 3975 6554 6547 2018-10-05T03:28:22Z JayFoxRox 2 Fix RFC links wikitext text/x-wiki === Secured traffic === Xbox network traffic is secured through [[wikipedia:IPSec|IPSec]]. The implementation appears to be similar to [https://tools.ietf.org/html/rfc3948#section-2.1 RFC 3498, Section 2.1] from 2005 which was co-authored by Microsoft. The protocol uses UDP port 3074 which is also registered with the IANA for use in the Xbox[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=3074]. Each Xbox uses the IP 0.0.0.1, so addressing relies on MAC-addresses{{FIXME|reason=Confirm this}}. The specific implementation in the Xbox uses TripleDES ([https://tools.ietf.org/html/rfc1851 RFC 1851]) for encryption, and SHA1-96 as [[wikipedia:HMAC|HMAC]]. ==== Key derivation ==== The following keys are involved in generating the actual network crypto-keys: * XboxLANKey (Kernel export) * Game specific LAN Key (XBE Certificate Header) The algorithm to generate the final keys, is this: <pre> LAN-Hash_1 = HMAC(XboxLANKey, concatenate(0x00, XBE-LAN-Key)) LAN-Hash_2 = HMAC(XboxLANKey, concatenate(0x01, XBE-LAN-Key)) LAN-Hash = concatenate(LAN-Hash_1, LAN-Hash_2) LAN-SHA = LAN-Hash_0_to_15 LAN-DES = XcDESKeyParity(LAN-Hash_16_to_39) </pre> [[Kernel/XcDESKeyParity|XcDESKeyParity]] is the same as the respective function in the Xbox kernel. ==== Broadcast messages ==== Because no security association exists for broadcast messages, these are handled differently. A common use case for broadcast messages is a server announce request / response. Broadcast messages are send to 255.255.255.255 (MAC-address: FF:FF:FF:FF:FF:FF) using SPI 0xFFFFFFFF and Sequence Number 0xFFFFFFFF. A random IV is chosen, but nothing prevents re-using an IV. ==== Security association ==== Most messages require an SA between devices{{FIXME|reason=Look into this}}. === XDK API === {{FIXME|reason=This probably shouldn't be here? there should be dedicated articles for the XDK APIs}} {| class="wikitable" |+XNet* Functions |- ! function ! description |- |XNetCreateKey(&xnkid, &xnkey) | |- |XNetRegisterKey(&xnkid, &xnkey) |Register the session key |- |XNetXnAddrToInAddr( pxnaddr, pxnkid, &pseudoIP ) |Convert the address to a winsock usable format |- |XNetUnregisterKey( &xbc.SessionID ) | |- |XNetGetTitleXnAddr( &hostAddr ) |Gets your XNADDR. Used by syslink, and lots of other people. |- |XNetGetEthernetLinkStatus() | |} 6d77976351980242eff4b552fd4b718202b4f812 0 3689 6555 5493 2018-10-06T02:04:16Z JayFoxRox 2 There's a prefix for the number of bytes, this must be skipped and is important if you try to read beyond the end of the file wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {{XBDM command|version=4039+|text=adminpw none|privs=manage}} Clear the administrator password. {{XBDM command|version=4039+|text=adminpw passwd=QWORD|privs=manage}} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {{XBDM command|text=getfile name=STRING}} Retrieve the entire contents of the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. {{XBDM command|text=getfile name=STRING offset=DWORD size=DWORD}} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. f30e70ef30a1170f0906544f694f6db62b16b9e8 6556 6555 2018-10-06T02:06:23Z JayFoxRox 2 /* drivelist (List drive letters) */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {{XBDM command|version=4039+|text=adminpw none|privs=manage}} Clear the administrator password. {{XBDM command|version=4039+|text=adminpw passwd=QWORD|privs=manage}} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== {{XBDM command|text=drivelist}} Returns a string which contains the drive-letter for each accessible drive. ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {{XBDM command|text=getfile name=STRING}} Retrieve the entire contents of the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. {{XBDM command|text=getfile name=STRING offset=DWORD size=DWORD}} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum</span>==== ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 4a9c4e24cf2f33ecaf36d247d43e7826414e268e 6558 6556 2018-10-07T13:43:58Z JayFoxRox 2 /* getsum */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {{XBDM command|version=4039+|text=adminpw none|privs=manage}} Clear the administrator password. {{XBDM command|version=4039+|text=adminpw passwd=QWORD|privs=manage}} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== {{XBDM command|text=drivelist}} Returns a string which contains the drive-letter for each accessible drive. ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {{XBDM command|text=getfile name=STRING}} Retrieve the entire contents of the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. {{XBDM command|text=getfile name=STRING offset=DWORD size=DWORD}} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum (Generate memory checksums)</span>==== {{XBDM command|version=5120+|text=getsum addr=DWORD length=DWORD blocksize=DWORD}} Generates one or more checksums from memory. The function will return <code>length</code> divided by <code>blocksize</code> 32-bit little endian checksums for the memory starting at virtual address <code>addr</code>. The <code>addr</code>, <code>length</code> and <code>blocksize</code> must be multiples of 8. Picking bad values can lead to crashes. Each checksum is equal to <code>ReverseBitOrder(CRC32(address + blockoffset, blocksize) XOR 0xFFFFFFFF)</code> for the respective block. ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot</span>==== ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 7aeb1d199d9d247c9a044d307003778ec0bc1c88 6559 6558 2018-10-07T14:02:27Z JayFoxRox 2 /* magicboot */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {{XBDM command|version=4039+|text=adminpw none|privs=manage}} Clear the administrator password. {{XBDM command|version=4039+|text=adminpw passwd=QWORD|privs=manage}} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file)==== ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== {{XBDM command|text=drivelist}} Returns a string which contains the drive-letter for each accessible drive. ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {{XBDM command|text=getfile name=STRING}} Retrieve the entire contents of the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. {{XBDM command|text=getfile name=STRING offset=DWORD size=DWORD}} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum (Generate memory checksums)</span>==== {{XBDM command|version=5120+|text=getsum addr=DWORD length=DWORD blocksize=DWORD}} Generates one or more checksums from memory. The function will return <code>length</code> divided by <code>blocksize</code> 32-bit little endian checksums for the memory starting at virtual address <code>addr</code>. The <code>addr</code>, <code>length</code> and <code>blocksize</code> must be multiples of 8. Picking bad values can lead to crashes. Each checksum is equal to <code>ReverseBitOrder(CRC32(address + blockoffset, blocksize) XOR 0xFFFFFFFF)</code> for the respective block. ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot (Boot into new title)</span>==== {{XBDM command|text=magicboot title=STRING debug}} Boots into another title, specified by the path to XBE in <code>title</code>. If the optional <code>debug</code> is provided, XBDM will remain loaded while the title is running. ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 03e774979a41fcb065dd5109cc07a1a584d6d7dc 0 3829 6557 5975 2018-10-06T03:40:41Z JayFoxRox 2 wikitext text/x-wiki The Xbox Live Communicator is the headset which is used for Xbox Live. [[File:Xbox_Live_Communicator.png|thumb|200px|Headset / Xbox Live Communicator]] == Protocol == === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 45 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Microphone === {{FIXME}} === Speaker === {{FIXME}} ==== Links ==== * [https://github.com/JayFoxRox/xbox-tools/tree/4bc808e187311010f850d7fbd9af4b76bed90727/communicator-tool Code for accessing the communicator microphone and speaker] 8524432cbe129072d8f30b414959598e81454059 0 3721 6560 6384 2018-10-07T14:05:05Z JayFoxRox 2 Use yes and no templates wikitext text/x-wiki The following table shows the commands available in each version of the [[Xbox Debug Monitor]]. {| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | altaddr |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | authuser |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | boxid |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | break |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | bye |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | capcontrol |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |- | style="font-family: monospace; text-align: left" | capctrl |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | continue |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | crashdump |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | d3dopcode |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dbgname |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dbgoptions |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | debugger |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | debugmode |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dedicate |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | deftitle |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | delete |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dirlist |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dmversion |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | drivefreespace |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | drivelist |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dvdblk |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dvdperf |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | fileeof |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | flash |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | fmtfat |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | funccall |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getd3dstate |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getextcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getfile |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getfileattributes |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getgamma |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getmem |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getmem2 |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getpalette |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getpid |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getsum |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getsurf |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getuserpriv |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getutildrvinfo |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | go |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | gpucount |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | halt |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | irtsweep |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | isbreak |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | isdebugger |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | isstopped |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | kd |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | keyxchg |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | lockmode |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | lop |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | magicboot |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | memtrack |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | mkdir |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | mmglobal |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modlong |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modsections |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modules |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | nostopon |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | notify |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | notifyat |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pbsnap |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pclist |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pdbinfo |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pssnap |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | querypc |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | reboot |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | rename |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | resume |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | screenshot |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | sendfile |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | servname |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setconfig |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setfileattributes |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setsystime |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setuserpriv |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | signcontent |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | stop |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | stopon |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | suspend |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | sysfileupd |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | systime |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | threadinfo |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | threads |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | title |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | user |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | userlist |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | vssnap |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | walkmem |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | writefile |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | xbeinfo |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | xtlinfo |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} e7ac0705ea27c870e33781beced57c80e39346a4 6564 6560 2018-10-07T14:11:16Z JayFoxRox 2 setmem was not listed wikitext text/x-wiki The following table shows the commands available in each version of the [[Xbox Debug Monitor]]. {| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | altaddr |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | authuser |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | boxid |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | break |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | bye |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | capcontrol |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |- | style="font-family: monospace; text-align: left" | capctrl |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | continue |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | crashdump |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | d3dopcode |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dbgname |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dbgoptions |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | debugger |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | debugmode |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dedicate |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | deftitle |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | delete |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dirlist |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dmversion |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | drivefreespace |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | drivelist |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dvdblk |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dvdperf |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | fileeof |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | flash |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | fmtfat |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | funccall |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getd3dstate |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getextcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getfile |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getfileattributes |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getgamma |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getmem |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getmem2 |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getpalette |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getpid |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getsum |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getsurf |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getuserpriv |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getutildrvinfo |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | go |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | gpucount |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | halt |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | irtsweep |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | isbreak |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | isdebugger |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | isstopped |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | kd |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | keyxchg |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | lockmode |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | lop |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | magicboot |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | memtrack |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | mkdir |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | mmglobal |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modlong |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modsections |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modules |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | nostopon |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | notify |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | notifyat |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pbsnap |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pclist |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pdbinfo |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pssnap |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | querypc |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | reboot |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | rename |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | resume |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | screenshot |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | sendfile |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | servname |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setconfig |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setfileattributes |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setmem |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setsystime |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setuserpriv |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | signcontent |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | stop |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | stopon |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | suspend |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | sysfileupd |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | systime |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | threadinfo |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | threads |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | title |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | user |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | userlist |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | vssnap |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | walkmem |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | writefile |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | xbeinfo |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | xtlinfo |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} 846909365981e7678ef4ce17e4f7783980b0a7a8 6565 6564 2018-10-07T14:12:25Z JayFoxRox 2 Had set version marked for setmem wikitext text/x-wiki The following table shows the commands available in each version of the [[Xbox Debug Monitor]]. {| class="wikitable" style="margin: 0 auto; text-align: center;" |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | adminpw |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | altaddr |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | authuser |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | boxid |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | break |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | bye |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | capcontrol |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |- | style="font-family: monospace; text-align: left" | capctrl |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | continue |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | crashdump |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | d3dopcode |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dbgname |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dbgoptions |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | debugger |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | debugmode |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dedicate |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | deftitle |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | delete |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dirlist |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dmversion |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | drivefreespace |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | drivelist |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dvdblk |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | dvdperf |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | fileeof |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | flash |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | fmtfat |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | funccall |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getd3dstate |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getextcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getfile |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getfileattributes |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getgamma |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getmem |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getmem2 |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getpalette |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getpid |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getsum |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getsurf |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getuserpriv |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | getutildrvinfo |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | go |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | gpucount |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | halt |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | irtsweep |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | isbreak |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | isdebugger |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | isstopped |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | kd |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | keyxchg |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | lockmode |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | lop |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | magicboot |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | memtrack |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | mkdir |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | mmglobal |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modlong |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modsections |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | modules |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | nostopon |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | notify |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | notifyat |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pbsnap |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pclist |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pdbinfo |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | pssnap |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | querypc |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | reboot |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | rename |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | resume |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | screenshot |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |- | style="font-family: monospace; text-align: left" | sendfile |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | servname |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setconfig |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setcontext |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setfileattributes |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setmem |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{yes}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |{{unknown}} |- | style="font-family: monospace; text-align: left" | setsystime |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | setuserpriv |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | signcontent |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | stop |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | stopon |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | suspend |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | sysfileupd |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | systime |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | threadinfo |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | threads |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | title |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | user |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | userlist |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | vssnap |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | walkmem |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | writefile |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | xbeinfo |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- | style="font-family: monospace; text-align: left" | xtlinfo |{{no}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |{{yes}} |- style="font-size: x-small" ! ! 3146.3 ! 3521 ! 3823 ! 3944 ! 4039 ! 4134 ! 4242 ! 4361 ! 4432 ! 4531 ! 4627 ! 4721 ! 4831 ! 4928 ! 5028 ! 5120 ! 5233 ! 5344 ! 5455 ! 5558 ! 5659 ! 5788 ! 5849 ! 5933 |} 9af76a9dc53199d6dc28f68a752101fa974f758a 10 3741 6561 5412 2018-10-07T14:05:47Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#FCC;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-no"|{{{1|&#x2717;}}}<noinclude> |} {{documentation}} </noinclude> 8ba551b5e70468184a4b6a7526ec339401c71ede 6566 6561 2018-10-07T14:27:28Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#FDD;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-no"|{{{1|&#x2717;}}}<noinclude> |} {{documentation}} </noinclude> 17198b1de0ccfa0f5cc24bb83f1e0a2168e8aca4 6567 6566 2018-10-07T14:28:15Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#F2CECE;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-no"|{{{1|&#x2717;}}}<noinclude> |} {{documentation}} </noinclude> c2bb316e76e2dff1c394a698db9649cf077714db 10 3740 6562 5414 2018-10-07T14:06:09Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#DFE;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|&#x2714;}}}<noinclude> |} {{documentation}} </noinclude> b8425f8d66d9780225142dcbc92442237a90c88d 6568 6562 2018-10-07T14:28:31Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#CEF2E0;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|&#x2714;}}}<noinclude> |} {{documentation}} </noinclude> afb08732635eec486e7424f4561c997b603984b5 10 3813 6563 5890 2018-10-07T14:10:41Z JayFoxRox 2 wikitext text/x-wiki <noinclude>{| class="wikitable" |- |</noinclude>style="background:#DDD;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-unknown"|{{{1|?}}}<noinclude> |} {{documentation}} </noinclude> d302768f810db3553dae56872f132d5f28ee5117 0 3669 6569 6422 2018-10-11T12:29:00Z DarkGabbz 2486 wikitext text/x-wiki There are different retail Xbox hardware revisions: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. any Xbox DVD drive can be used in any retail xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he succesfully flashed a Hitachi drive to boot a copied game on a unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 95194efaca5e1d509940653361776f179798423f 6 3976 6570 2018-10-11T13:17:33Z DarkGabbz 2486 Xbox Controller connector male to USB Connector female wikitext text/x-wiki Xbox Controller connector male to USB Connector female 97ff26c3f95727ccd55512be02b34fd8156be7b4 0 11 6571 6465 2018-10-11T13:29:57Z Dracc 2502 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 630e36d1260174e3683304d3a1aeb5b2bcc28a44 6572 6571 2018-10-11T14:12:54Z DarkGabbz 2486 /* Wiring */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description [[File:Xboxmaletousbfemale.png]] |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] a27a54867b82f9ed53b94c4e425d7f3f7e7d7c94 6573 6572 2018-10-11T14:13:13Z DarkGabbz 2486 /* Wiring */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 2fc4f0677ce3b4ab34f59f43c12d5988ce5707d7 6574 6573 2018-10-11T14:49:20Z DarkGabbz 2486 /* USB Adapters */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} [[File:Xboxmaletousbfemale.png]] === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] e493b51b8e66b7ae72772422fd9d666c3b2099d4 6575 6574 2018-10-11T14:49:27Z DarkGabbz 2486 /* USB Adapters */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] cb58089cd09eec5ee9ccc305ecc9ce3723c209fa 6576 6575 2018-10-11T14:52:43Z DarkGabbz 2486 /* USB Adapters */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). ---- [[File:Xboxmaletousbfemale.png|thumb|right|]] ---- {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] ac568aa7bb047d6eaf96125500648ddc598d0b6e 6577 6576 2018-10-11T14:53:34Z DarkGabbz 2486 /* USB Adapters */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram of a DIY USB Adapter]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] dfff0f6b2c124ec98b2374cf7e7c9799dfd1201e 6578 6577 2018-10-11T14:57:56Z DarkGabbz 2486 wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram of a DIY USB adapter]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 2738d19ca4e8078d16182e7fbd0c45926c27c9d0 6579 6578 2018-10-11T15:00:41Z JayFoxRox 2 Changed label for wiring diagram [white / gray + more precise] wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] e4a9fee29d21a6d648b6381d532c7b17aadcd8c0 0 3683 6580 6277 2018-10-16T02:05:33Z JayFoxRox 2 2BL address was wrong wikitext text/x-wiki This article describes the boot sequence of the Xbox. A large portion of it is patended in [https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US6907522.pdf Patent "US 6,907,522 B2"] == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: * The MCPX ROM contains a key to decrypt the 2BL. * The 2BL is run. The MCPX ROM is hidden at this point. The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. The 2BL contains a kernel decryption key. * Once the kernel is decrypted and initialized, the INIT section is discarded. The kernel decryption key is overwritten with 0x00-Bytes. * The kernel only runs signed [[XBE]] files from allowed media. There are also a handful of assumptions: * The CPU will start execution in the MCPX ROM. * The MCPX ROM can not be read or modified. * The decrpyted 2BL or Kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8F000 to 0x8F0FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00090000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Configure LDT bus ==== DWORD flow control is enabled in the MCPX. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> DWORD flow control is also enabled in the NV2A core. <pre> out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> The LDT bus is reset. <pre> out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); </pre> The rest is unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Enable USB ASRC ==== The USB controller's "automatic slew rate compensation" feature is enabled for MCPX revisions D01 and later. <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] f28da6e507f2842617393c52b8d49ab19b41e34b 6581 6580 2018-10-17T14:04:48Z JayFoxRox 2 Improve the short-version of chain of trust wikitext text/x-wiki This article describes the boot sequence of the Xbox. A large portion of it is patended in [https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US6907522.pdf Patent "US 6,907,522 B2"] == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: '''MCPX X2''' There's no chain of trust. It behaves similar to the MCPX X3 1.0 boot, just that the MCPX ROM is not available, so the code is loaded from untrusted flash. There are also different X-Code opcodes and keys. '''MCPX X3 1.0''' * MCPX ROM: ** Runs untrusted from flash X-Codes in a limited virtual-machine. ** Contains key + decrypts the 2BL using RC4. ** In success case: Go to 2BL. ** In error case: Hides ROM and intends to triple-fault. * 2BL: ** The MCPX ROM is hidden. ** The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. ** Contains keys for kernel decryption and execution; decrypts kernel using RC4 and extracts using LZX.{{FIXME|reason=I believe kernel is also hashed}} * Kernel: ** The kernel decryption key is overwritten with 0x00-Bytes. ** The 2BL is overwritten with 0xCC-Bytes. ** Once the kernel is initialized, the INIT section is discarded. ** The kernel only runs signed [[XBE]] files from allowed media. '''MCPX X3 1.1''' * MCPX ROM: ** Runs untrusted from flash X-Codes in a limited virtual-machine. ** Hashes the unencrypted FBL using TEA encryption. ** In success case: Go to FBL. ** In error case: Hides ROM and intends to triple-fault. * FBL: ** Verify 2BL image. ** Derive key from key stored in MCPX + Flash, and decrypt 2BL. ** Go to 2BL. The rest of the boot behaves like MCPX X3 1.0. '''Assumptions for chain-of-trust''' * The CPU will start execution in trusted MCPX ROM. * The MCPX ROM can not be read or modified. * The decrypted 2BL or kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8F000 to 0x8F0FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00090000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x000 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x00000000 and 0x80000000 will both map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x800 || 0x000000E3 |- |0x004 || 0x004000E3 |- |0x804 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Configure LDT bus ==== DWORD flow control is enabled in the MCPX. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> DWORD flow control is also enabled in the NV2A core. <pre> out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> The LDT bus is reset. <pre> out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); </pre> The rest is unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Enable USB ASRC ==== The USB controller's "automatic slew rate compensation" feature is enabled for MCPX revisions D01 and later. <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 24ac0de8e3ecda518cd719210108fdfa1fbf7449 6582 6581 2018-10-18T04:00:07Z JayFoxRox 2 Order was slightly confusing wikitext text/x-wiki This article describes the boot sequence of the Xbox. A large portion of it is patended in [https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US6907522.pdf Patent "US 6,907,522 B2"] == Overview == The Xbox has a 256 kiB ROM containing the startup animation and sound, as well as the Xbox kernel, which contains a stripped down version of the Windows 2000 (NT 5.0) microkernel, the HAL, filesystems, as well as HDD and DVD drivers. When the Xbox is turned on, the software in ROM is decompressed into RAM, and the kernel initializes the hardware. Because there are no audio or video drivers in the kernel, the startup code plays the animation and sound by accessing the registers of the hardware directly. As soon as the Xbox logo is on the display, the kernel unlocks the hard disk and checks whether there is a valid game medium in the DVD drive. If not, the file xboxdash.xbe gets loaded from partition #3 (Typically the [[Dashboard]]). In either case, the Microsoft logo is shown below the Xbox logo and the executable is started. If an error occurs (no/wrong hard disk, wrong signature, ...), the boot loader shows a [[Fatal Error]] screen and halts. === Chain of trust === The Xbox uses a chain of trust during the boot process: '''MCPX X2''' There's no chain of trust. It behaves similar to the MCPX X3 1.0 boot, just that the MCPX ROM is not available, so the code is loaded from untrusted flash. There are also different X-Code opcodes and keys. '''MCPX X3 1.0''' * MCPX ROM: ** Runs untrusted from flash X-Codes in a limited virtual-machine. ** Contains key + decrypts the 2BL using RC4. ** In success case: Go to 2BL. ** In error case: Hides ROM and intends to triple-fault. * 2BL: ** The MCPX ROM is hidden. ** The 2BL decryption key is (overwritten with 0x00-Bytes){{FIXME|reason=Does this actually happen?}}. ** Contains keys for kernel decryption and execution; decrypts kernel using RC4 and extracts using LZX.{{FIXME|reason=I believe kernel is also hashed}} * Kernel: ** The kernel decryption key is overwritten with 0x00-Bytes. ** The 2BL is overwritten with 0xCC-Bytes. ** Once the kernel is initialized, the INIT section is discarded. ** The kernel only runs signed [[XBE]] files from allowed media. '''MCPX X3 1.1''' * MCPX ROM: ** Runs untrusted from flash X-Codes in a limited virtual-machine. ** Hashes the unencrypted FBL using TEA encryption. ** In success case: Go to FBL. ** In error case: Hides ROM and intends to triple-fault. * FBL: ** Verify 2BL image. ** Derive key from key stored in MCPX + Flash, and decrypt 2BL. ** Go to 2BL. The rest of the boot behaves like MCPX X3 1.0. '''Assumptions for chain-of-trust''' * The CPU will start execution in trusted MCPX ROM. * The MCPX ROM can not be read or modified. * The decrypted 2BL or kernel can not be read entirely. * All parts of the software following the MCPX are not-attackable and signed. See [[Exploits]] for possible options to break the chain of trust. == MCPX ROM == Certain things are still missing, for example, getting the CPU to 32 bit protected mode and enabling caching.{{FIXME}} === Xcodes === The xcode interpreter is common through both versions of the MCPX ROM. The high level interpretation of the MCPX ROM might look like this: <pre> void xcode_interpreter() { // values are implied as x86 is just starting up register uint32_t pc = 0; // stored in ESI register register uint8_t opcode = 0; // stored in AL register register uint32_t operand_1 = 0; // stored in EBC register register uint32_t operand_2 = 0; // stored in ECX register register uint32_t result = 0; // stored in EDI register register uint32_t scratch = 0; // stored in EBP register // explicitly set startup point pc = 0xFF000080; while (1) { opcode = get_memory_byte(pc); operand_1 = get_memory_dword(pc+1); operand_2 = get_memory_dword(pc+5); if (opcode == 0x07) { opcode = operand_1; operand_1 = operand_2; operand_2 = result; } if (opcode == 0x02) { result = get_memory_dword(operand_1 & 0x0fffffff); } else if (opcode == 0x03) { set_memory_dword(operand_1) = operand_2; } else if (opcode == 0x06) { result = (result & operand_1) | operand_2; } else if (opcode == 0x04) { if (operand_1 == 0x80000880) { operand_2 &= 0xfffffffd; } outl(operand_1, 0xcf8); outl(operand_2, 0xcfc); } else if (opcode == 0x05) { outl(operand_1, 0xcf8); result = inl(0xcfc); } else if (opcode == 0x08) { if (result != operand_1) { pc += operand_2; } } else if (opcode == 0x09) { pc += operand_2; } else if (opcode == 0x10) { scratch = (scratch & operand_1) | operand_2; result = scratch; } else if (opcode == 0x11) { outb(operand_2, operand_1); } else if (opcode == 0x12) { result = inb(operand_1); } else if (opcode == 0xee) { break; } pc += 9; } } </pre> === RC4 Decryption of the 2BL (MCPX 1.0 only) === Version 1.0 of the ROM uses RC4 to decrypt the 2BL. The RC4 algorithm was included as part of MCPX 1.0 and seems to work fine with BIOS versions 3944, 4034, and 4134. ==== Stage 1: Key Scheduling ==== The [https://en.wikipedia.org/wiki/RC4#Key-scheduling_algorithm_.28KSA.29 RC4 Key-Scheduling Algorithm] is used to initialize the RC4 “S” array, first initializing the identity permutation (writing 1, 2, ..., 255 to 0x8F000 to 0x8F0FF), then processed in a way similar to the PRGA to mix in the key. <pre> uint8_t *s = (uint8_t *)0x8f000; uint32_t i; for (i = 0; i <= 255; i++) { s[i] = i; } uint8_t *key = (uint8_t *)0xffffffa5; /* ROM offset 0x1a5. */ uint8_t j, t; /* It is unclear why values s[0x100..0x101] are being set to 0. They are * not modified by the code, but later these will be be used as the initial * i, j values in the PRGA. */ s[0x100] = 0x00; s[0x101] = 0x00; for (i = 0, j = 0; i <= 255; i++) { j = j + s[i] + key[i%16]; /* Swap s[i] and s[j] */ t = s[i]; s[i] = s[j]; s[j] = t; } </pre> ==== Stage 2: PRGA ==== The [https://en.wikipedia.org/wiki/RC4#Pseudo-random_generation_algorithm_.28PRGA.29 RC4 Pseudo-random generation algorithm (PRGA)] is then used to decrypt the 2BL from 0xFFFF9E00, storing the decrypted 2BL at 0x00090000. It is 24KiB in size. <pre> uint8_t *encrypted = (uint8_t*)0xFFFF9E00; /* 2bl */ uint8_t *decrypted = (uint8_t*)0x90000; /* Decrypted 2bl Destination */ uint32_t pos; /* As noted above, s[0x100..0x101] were set to 0 earlier, but have not been * modified since. The RC4 algorithm defines i and j both to be set to 0 * before PRGA begins. */ i = s[0x100]; j = s[0x101]; for (pos = 0; pos < 0x6000; pos++) { /* Update i, j. */ i = (i + 1) & 0xff; j += s[i]; /* Swap s[i] and s[j]. */ t = s[i]; s[i] = s[j]; s[j] = t; /* Decrypt message and write output. */ decrypted[pos] = encrypted[pos] ^ s[ s[i] + s[j] ]; } </pre> ==== Stage 3: Signature Verification ==== Now that the Second-Stage Bootloader has been loaded, a quick sanity-check is performed: a “magic” signature is verified. If the signature doesn’t match, control goes to the error handler. If the signature does match, the code will jump to the 2bl entry point, which is given by the first dword of the decrypted 2bl. <pre> mov eax, [0x95fe4] cmp eax, MAGIC_NUMBER jne 0xffffff94 ; If signature check failed, jump to error handler mov eax, [0x90000] jmp eax ; Jump to 2BL entry point </pre> === TEA Decryption of the FBL (MCPX 1.1 only) === {{FIXME}} == FBL (MCPX 1.1 only) == The Flash Boot Loader was added in MCPX 1.1, it connects the MCPX ROM and the 2BL.{{FIXME}} It is not part of the MCPX ROM, but part of the flash. == 2BL == {{FIXME|reason=Certain parts are still missing.}} === MTRR Setup === First, the cache is disabled.{{FIXME}} Then, the MTRR (Memory Type Range Register) will be setup (using <code>wrmsr</code>) in the following way: {| class="wikitable" ! MTRR (ecx) !! High value (edx) !! Low value (eax) !! Notes |- |0x200 || 0x00000000 || 0x00000006 || |- | rowspan = "2" | 0x201 || rowspan = "2" | 0x0000000F || 0xFC000800 || ''(For 64 MiB RAM BIOS)'' |- |0xF8000800 || (''For 128 MiB RAM BIOS'') |- |0x202 || 0x00000000 || 0xFFF80005 || |- |0x203 || 0x0000000F || 0xFFF80800 || |- |0x204 || 0x00000000 || 0x00000000 || rowspan="3" | Clear all unused MTRR |- | colspan = "3" | ... |- |0x20F || 0x00000000 || 0x00000000 |- |0x2FF || 0x00000000 || 0x00000800 || |} Once the MTRR have been written, the cache is enabled.{{FIXME}} === Register setup === Now the 2BL will set up the segment registers{{FIXME|reason=why?!}} and stack: {| class="wikitable" ! Register !! Value !! Notes |- |ds || 0x0010 || rowspan="3" | Data segment{{citation needed}} |- |es || 0x0010 |- |ss || 0x0010 |- |esp || 0x00400000 || |- |fs || 0x0000 || |- |gs || 0x0000 || |} === Self-copy === Now the 2BL copies itself (24 kiB) from 0x00090000 to memory address 0x00400000. === Paging === Now a PDE is prepared at address 0x0000F000: {| class="wikitable" ! Offset in PDE !! Value !! Notes |- |0x800 || 0x000000E3 || rowspan="7" | Identity maps the first 256MiB of RAM: 0x80000000 and 0x00000000 will each map to physical page 0 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0x000 || 0x000000E3 |- |0x804 || 0x004000E3 |- |0x004 || 0x004000E3 |- | colspan="2" | ... |- |0x8FC || 0x0FC000E3 |- |0x0FC || 0x0FC000E3 |- |0x900 || 0x00000000 || rowspan="5" | Unmapping the rest of the pages |- |0x100 || 0x00000000 |- | colspan="2" | ... |- |0xFFC || 0x00000000 |- |0x7FC || 0x00000000 |- |0xC00 || 0x0000F063 || Maps the PDE (4 kiB page) to address 0xC0000000 <br><br> 0x63: Flags: <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFFC || 0xFFC000E3 || Identity maps the upper portion of the Flash (4 MiB page) to address 0xFFC00000 <br><br> 0xE3: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD0 || 0xFD0000FB || rowspan="4" | Maps 16 MiB for the GPU control registers <br><br> 0xFB: Flags: <br> * 0x80: 4 MiB page <br> * 0x40: Marked as previously written (Dirty) <br> * 0x20: Marked as previously accessed <br> * 0x10: Cache disabled <br> * 0x08: Write-Through caching <br> * 0x02: Read/Write <br> * 0x01: Present |- |0xFD4 || 0xFD4000FB |- |0xFD8 || 0xFD8000FB |- |0xFDC || 0xFDC000FB |} After setting up the PDE, the PAT is set up using <code>wrmsr</code>: {{FIXME}} CR4 is touched {{FIXME}} CR3 is touched {{FIXME}} Now paging is activated by enabling the PG and WP bits in CR0. Additionally, the same <code>or</code> instruction is used to enable the NE bit in cr0. === 2BL main === esp is now also reloaded to point at the relocated address. It will be set to 0x80400000 (absolute value, independent of previous esp value). The 2BL will now <code>call</code> into the relocated 2BL code somewhere near 0x00400000. ==== Disabling of the MCPX ROM ==== <pre> out32(0xCF8, 0x80000880); out8(0xCFC, 0x02); </pre> ==== SMC handling ==== The [[SMC]] has a watchdog functionality which must be turned off. This is done by querying the SMC registers 0x1C - 0x1F. If all of them are 0x00 the 2BL will shutdown the system{{FIXME}}. If this is not the case, the bootloader calculates the watchdog challenge response and sends it to SMC registers 0x20 and 0x21. Additionally, the 2BL will set SMC register 0x01 to 0 (which resets the cursor position for reading the SMC revision information). ==== Enable IDE and NIC ==== <pre> out32(0xCF8, 0x8000088C); out32(0xCFC, 0x40000000); </pre> ==== Memory cleanup ==== The 2BL fills memory with 0xCC from 0x80090000 to 0x80095FFF. These are the 24 kiB where the 2BL was stored previously. ==== Setup RAM timing ==== Not described yet, this is complicated{{FIXME}}. This got a lot more complicated when Microsoft started using different RAM sometime after [[Hardware Revisions#1.6|Hardware Revision 1.6]] was already out. ==== Configure LDT bus ==== DWORD flow control is enabled in the MCPX. <pre> out32(0xCF8, 0x80000854); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> DWORD flow control is also enabled in the NV2A core. <pre> out32(0xCF8, 0x80000064); out32(0xCFC, in32(0xCFC) | 0x88000000); </pre> The LDT bus is reset. <pre> out32(0xCF8, 0x8000006C); uint32_t tmp = in32(0xCFC); out32(0xCFC, tmp & 0xFFFFFFFE); out32(0xCFC, tmp); </pre> The rest is unknown{{FIXME}}. <pre> out32(0xCF8, 0x80000080); out32(0xCFC, 0x00000100); </pre> ==== Enable USB ASRC ==== The USB controller's "automatic slew rate compensation" feature is enabled for MCPX revisions D01 and later. <pre> out32(0xCF8, 0x80000808); uint8_t mcpx_revision = in8(0xCFC); if (mcpx_revision >= 0xD1) { out32(0xCF8, 0x800008C8); out32(0xCFC, 0x00008F00); } </pre> ==== Loading the kernel ==== ===== Kernel-copy ===== The Kernel is now copied into RAM. ===== Kernel decryption ===== The 2BL will copy the kernel decryption key (16 bytes) from offset 32 of an array of 3 keys: {| class="wikitable" ! Offset !! Use |- | 0 || EEPROM key |- | 16 || Certificate key |- | 32 || Kernel key |} The Kernel is then decrypted in-place using RC4. ===== Kernel decompression ===== The Kernel is decompressed directly to 0x80010000 where it will reside until a full system shutdown. ==== Running the kernel ==== The xboxkrnl.exe header at 0x8001000 is checked{{FIXME|reason=how?}}. If it is invalid, {{FIXME}}. If it is valid, the kernel entry point is looked up from the PE optional header. The hardcoded image base of 0x8001000 is added to the entry point. The entry-point is now being called. Argumnts are passed on the stack, from right to left. The first argument is a commandline string loaded from memory address 0x80400000. It is an empty string for retail BIOS{{FIXME|reason=Mention options for debug bioses here}}. A pointer to the previously mentioned array of 3 keys is passed as the second argument. == Kernel == === Initialization === ==== Stage 1 (Cold-boot only) ==== The entry point to the kernel will first parse the arguments.{{FIXME}} At the end, the kernel will call the initialization routine for what we'll refer to as: Stage 2a. ==== Stage 2 (Cold-boot only) ==== The kernel initialization will only happen once on a cold-boot. It will not happen for reboots. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * GDT is prepared{{FIXME}} and loaded{{FIXME}} * cs and ds are reloaded * fs is set{{FIXME}} * TSS is loaded{{FIXME}} * cr3 is moved to 3 tasks{{FIXME}} * The CPU microcode is updated After this comes Stage 3 initialization which will also be repeated on kernel re-initialization. ==== Stage 3 ==== This is code which is duplicated in INIT and .text sections. * In the INIT section it directly follows the Stage 2 initialization. * In the .text section it follows the Kernel re-initialization code mentioned below. This code does the following: * IDT is prepared{{FIXME}} and loaded{{FIXME}} * {{FIXME|reason=a lot more happens here.. If you want to RE this: look into the HalReturnToFirmware code [last call is to Stage 2b]; the kernel entry point [last call is to Stage 2a]; or just search for lidt instructions}} === Re-initialization === On reboots, initialization Stage 1 and 2 are not in memory anymore (as the INIT section has been discarded), and can't be run anymore. Instead, a seperate function replaces their functionality and then jumps directly to Stage 3 initalization. This code is the partial kernel reinitialization, which will be ran on reboots using [[Kernel/HalReturnToFirmware]]. * ebp is set to 0x00000000 * esp is modified{{FIXME}} * Some memory stuff in a seperate function{{FIXME}} * The .data section from [[Flash]] is loaded and replaces the running .data * The byte infront of KeSystemTime is set to 0x01, indicating the system comes from a reboot. After this has completed, [[#Stage 3]] of the kernel initialization will take over. ==== Skipped initialization ==== When rebooting, certain parts are still initialized and assumed to be working: (This list is currently in no particular order and incomplete) * Anything already done by Stage 1 and Stage 2 * PCI device setup * EEPROM decryption{{FIXME}} * Check for AV-Pack{{FIXME}} * Video mode setup (boot animation is not played again) * Some IDE stuff{{FIXME}} * Some SMC stuff{{FIXME}} * Memory allocator initialization{{FIXME}} * Kernel debugger (Super-I/O) initialization{{FIXME}} (This still seems to be in memory?!){{citation needed}} === Startup animation === == References == * [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process] * [https://mborgerson.com/deconstructing-the-xbox-boot-rom Deconstructing the Boot ROM] 783b95460be8df8563edd79e208a52878731e6d4 0 3681 6583 6006 2018-10-18T18:39:21Z JayFoxRox 2 /* References */ wikitext text/x-wiki The CPU in the Xbox was a custom Pentium III running at 733MHz. The 'custom' part of this was that that the Pentium III in the Xbox was that it had only 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] (This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. * [https://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/24542154.pdf This specification update should contain the errata for the Xbox CPU] * [https://www.google.com/patents/US20050282621 CPU upgrading adapter for a Microsoft XboxTM game machine] US Patent Application 20050282621 by Friendtech, filed 2003-08-21. 94e859a76c65cc92c89601e790c79ec50851e07f 6584 6583 2018-10-18T18:40:34Z JayFoxRox 2 /* References */ wikitext text/x-wiki The CPU in the Xbox was a custom Pentium III running at 733MHz. The 'custom' part of this was that that the Pentium III in the Xbox was that it had only 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. * [https://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/24542154.pdf Mobile Intel® Celeron® Processor (0.18μ and 0.13μ) Specification Update] This document should contain the errata for the Xbox CPU. * [https://www.google.com/patents/US20050282621 CPU upgrading adapter for a Microsoft XboxTM game machine] US Patent Application 20050282621 by Friendtech, filed 2003-08-21. 53c9af2b5739e32d689b6eda2820fc84129804a6 0 3742 6585 6503 2018-10-19T19:43:20Z KaosEngineer 2482 Added info for video standard at offset 0x58-0x5B for not set and PAL-M wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) 1 byte at offset 0x90 data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Language !! EEPROM Value @ 0x90 |- | English | 0x01 |- | Japanese | 0x02 |- | German | 0x03 |- | French | 0x04 |- | Spanish | 0x05 |- | Italian | 0x06 |- | Korean | 0x07 |- | Chinese | 0x08 |- | Portuguese | 0x09 |} |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; const uint32_t num_dwords = section_data_length >> 2; uint64_t checksum = 0; uint32_t carry_count = 0; for(uint32_t loop_count = num_dwords; loop_count > 0; loop_count--) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 9c36fccf7cdbf6367506646c9bf27b61f4566c9f 6586 6585 2018-10-19T19:52:20Z KaosEngineer 2482 0x2C-0x2F region Europe also includes Australia for value 0x04 (noted in XBMC4Xbox source code updates in XKEEPROM.h file) wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe & Australia |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) 1 byte at offset 0x90 data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Language !! EEPROM Value @ 0x90 |- | English | 0x01 |- | Japanese | 0x02 |- | German | 0x03 |- | French | 0x04 |- | Spanish | 0x05 |- | Italian | 0x06 |- | Korean | 0x07 |- | Chinese | 0x08 |- | Portuguese | 0x09 |} |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; const uint32_t num_dwords = section_data_length >> 2; uint64_t checksum = 0; uint32_t carry_count = 0; for(uint32_t loop_count = num_dwords; loop_count > 0; loop_count--) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] bb0db6c637b346df38de4c3b0f2e64fe367b7fe9 6587 6586 2018-10-19T19:57:58Z KaosEngineer 2482 0x40-0x45 MAC address. Added info as they start with 00:50:F2 and another one I can't remember and data locked out on glitched FW HDD so can't look for it. :( wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe & Australia |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) 1 byte at offset 0x90 data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Language !! EEPROM Value @ 0x90 |- | English | 0x01 |- | Japanese | 0x02 |- | German | 0x03 |- | French | 0x04 |- | Spanish | 0x05 |- | Italian | 0x06 |- | Korean | 0x07 |- | Chinese | 0x08 |- | Portuguese | 0x09 |} |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; const uint32_t num_dwords = section_data_length >> 2; uint64_t checksum = 0; uint32_t carry_count = 0; for(uint32_t loop_count = num_dwords; loop_count > 0; loop_count--) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 4280af11b8d229bd9d27cf95434cf65f6d616810 6588 6587 2018-10-19T20:03:07Z KaosEngineer 2482 Added A and B button values stored in the Parental Passcode at offset 0xA0-0xA3 wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe & Australia |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) 1 byte at offset 0x90 data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Language !! EEPROM Value @ 0x90 |- | English | 0x01 |- | Japanese | 0x02 |- | German | 0x03 |- | French | 0x04 |- | Spanish | 0x05 |- | Italian | 0x06 |- | Korean | 0x07 |- | Chinese | 0x08 |- | Portuguese | 0x09 |} |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; const uint32_t num_dwords = section_data_length >> 2; uint64_t checksum = 0; uint32_t carry_count = 0; for(uint32_t loop_count = num_dwords; loop_count > 0; loop_count--) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 00e883c691586b257ad5735c7dc515e694e0549d 2 3948 6589 6393 2018-10-20T03:11:35Z JayFoxRox 2 wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === === SMC Warm Reboot === === PM26 === === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === === Triple fault === === PCI-to-PCI bridge secondary bus reset === ---- 804492f4646654d5e5695047f3344739f765a8e7 6590 6589 2018-10-20T03:17:45Z JayFoxRox 2 /* SMC Cold Reboot */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === === PM26 === === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === === Triple fault === === PCI-to-PCI bridge secondary bus reset === ---- cee76e82ac7f030cf6fae04063473bb15bd6dd32 6591 6590 2018-10-20T03:17:51Z JayFoxRox 2 /* SMC Warm Reboot */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === === Triple fault === === PCI-to-PCI bridge secondary bus reset === ---- 08e124d7407a8d7bc94d0fe35f631370bc63888b 6592 6591 2018-10-20T03:18:22Z JayFoxRox 2 /* RST_CNT (RST_CPU + SYS_RST + FULL_RST) */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === === PCI-to-PCI bridge secondary bus reset === ---- 4bd3d2f195b89a1a5c9c528b0542fc86b41944d1 6593 6592 2018-10-20T03:18:46Z JayFoxRox 2 /* Triple fault */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === ---- 5ec8019c84a2288b5ee060f6dcaaf2e19516be24 6594 6593 2018-10-20T03:18:57Z JayFoxRox 2 /* PCI-to-PCI bridge secondary bus reset */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- eca9413f9ba41e99762d9f91570bfe48413833e7 6595 6594 2018-10-20T03:19:12Z JayFoxRox 2 /* PM26 */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- 1268b7d810a9d6feae4e53130dd4a120d94020f4 6597 6595 2018-10-21T23:16:46Z JayFoxRox 2 /* Unfinished information */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == THPS2X Syslink crash == Happens if too many servers are present (this is where data is written to driver?): <pre> Hardware watchpoint 1: *(int*)0xD004D048 Old value = 1065353216 New value = 1500647462 0x00215adf in ?? () (gdb) pint $eip Undefined command: "pint". Try "help". (gdb) print $eip $1 = (void (*)()) 0x215adf </pre> == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- 19b1a6a91e17a1c3f96584608493adf54583971f 6598 6597 2018-10-21T23:27:56Z JayFoxRox 2 /* THPS2X Syslink crash */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == THPS2X Syslink crash == Happens if too many servers are present (this is where data is written to driver?): <pre> Hardware watchpoint 1: *(int*)0xD004D048 Old value = 1065353216 New value = 1500647462 0x00215adf in ?? () (gdb) pint $eip Undefined command: "pint". Try "help". (gdb) print $eip $1 = (void (*)()) 0x215adf </pre> And this seems to copy server to database (this in particular copied string?): <pre> Hardware watchpoint 1: *(int*)0xf47944 Old value = 926102321 New value = 858992984 0x00156cc3 in ?? () (gdb) print $eip $2 = (void (*)()) 0x156cc3 (gdb) info reg eax 0xd0043260 -805031328 ecx 0x1d 29 edx 0x0 0 ebx 0xf20ce0 15863008 esp 0xd004324c 0xd004324c ebp 0xf20ce0 0xf20ce0 esi 0xd00432a0 -805031264 edi 0xf47948 16021832 eip 0x156cc3 0x156cc3 eflags 0x246 [ PF ZF IF ] cs 0x8 8 ss 0x10 16 ds 0x10 16 es 0x10 16 fs 0x20 32 gs 0x0 0 (gdb) x/10i $eip => 0x156cc3: rep movsl %ds:(%esi),%es:(%edi) 0x156cc5: call 0x1b9db6 0x156cca: mov 0x29b44(%ebx),%ecx 0x156cd0: mov 0x10(%esp),%edx 0x156cd4: imul $0x78,%ecx,%ecx 0x156cd7: mov %edx,0x26ca8(%ecx,%ebx,1) 0x156cde: mov 0x14(%esp),%eax 0x156ce2: mov %eax,0x26cac(%ecx,%ebx,1) 0x156ce9: mov 0x29b44(%ebx),%eax 0x156cef: mov (%ebx),%edx </pre> == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- f3df32ce97c789e48153863f88a050973d7dcab9 0 3678 6596 6275 2018-10-21T17:23:48Z JayFoxRox 2 Mention that some keys are depending on running XBE (details need to be documented) wikitext text/x-wiki The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT [[Wikipedia:Ntoskrnl.exe|ntoskrnl.exe]]. Its image base address is always 0x80010000. == Header modifications == xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40: {| class=wikitable ! Offset !! Meaning |- |40 || Size of uninitialized portion of the .data section |- |44 || Size of initialized portion of the .data section |- |48 || Memory address of initialized portion of the .data section (usually in [[Flash]]). <br> Used to re-initialize the data section pointed to by the next field. <br> Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times. |- |52 || Memory address where the .data section is stored (usually the same as in the section header + image base). |} == Sections == All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory. === .text === The .text section contains the kernel exports. === .data === The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the [[BIOS]]. === STICKY === Stores variables which must be preserved across a quick-reboot. === IDEXPRDT === A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel{{citation needed}}. === INIT === This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described [[Boot_Process#Initialization|here]]. Later kernels{{FIXME|reason=Which revision? right now it appears that *ALL* kernels will discard this}} will discard this section after initialization. INIT also contains the [[Boot Animation]], so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore. == Kernel exports == {| class="wikitable" |+Kernel exports |- !Name !Ordinal !x86 Calling Convention !Notes |- |[[Kernel/AvGetSavedDataAddress]] |1 |stdcall | |- |[[Kernel/AvSendTVEncoderOption]] |2 |stdcall | |- |[[Kernel/AvSetDisplayMode]] |3 |stdcall | |- |[[Kernel/AvSetSavedDataAddress]] |4 |stdcall | |- |[[Kernel/DbgBreakPoint]] |5 |stdcall | |- |[[Kernel/DbgBreakPointWithStatus]] |6 |stdcall | |- |[[Kernel/DbgLoadImageSymbols]] |7 |stdcall |Devkits only! |- |[[Kernel/DbgPrint]] |8 |stdcall | |- |[[Kernel/HalReadSMCTrayState]] |9 |stdcall | |- |[[Kernel/DbgPrompt]] |10 |stdcall | |- |[[Kernel/DbgUnLoadImageSymbols]] |11 |stdcall |Devkits only! |- |[[Kernel/ExAcquireReadWriteLockExclusive]] |12 |stdcall | |- |[[Kernel/ExAcquireReadWriteLockShared]] |13 |stdcall | |- |[[Kernel/ExAllocatePool]] |14 |stdcall | |- |[[Kernel/ExAllocatePoolWithTag]] |15 |stdcall | |- |[[Kernel/ExEventObjectType]] |16 | |Variable: OBJECT_TYPE |- |[[Kernel/ExFreePool]] |17 |stdcall | |- |[[Kernel/ExInitializeReadWriteLock]] |18 |stdcall | |- |[[Kernel/ExInterlockedAddLargeInteger]] |19 |stdcall | |- |[[Kernel/ExInterlockedAddLargeStatistic]] |20 |fastcall | |- |[[Kernel/ExInterlockedCompareExchange64]] |21 |fastcall | |- |[[Kernel/ExMutantObjectType]] |22 | |Variable: OBJECT_TYPE |- |[[Kernel/ExQueryPoolBlockSize]] |23 |stdcall | |- |[[Kernel/ExQueryNonVolatileSetting]] |24 |stdcall | |- |[[Kernel/ExReadWriteRefurbInfo]] |25 |stdcall | |- |[[Kernel/ExRaiseException]] |26 |stdcall | |- |[[Kernel/ExRaiseStatus]] |27 |stdcall | |- |[[Kernel/ExReleaseReadWriteLock]] |28 |stdcall | |- |[[Kernel/ExSaveNonVolatileSetting]] |29 |stdcall | |- |[[Kernel/ExSemaphoreObjectType]] |30 | |Variable: OBJECT_TYPE |- |[[Kernel/ExTimerObjectType]] |31 | |Variable: OBJECT_TYPE |- |[[Kernel/ExfInterlockedInsertHeadList]] |32 |stdcall | |- |[[Kernel/ExfInterlockedInsertTailList]] |33 |fastcall | |- |[[Kernel/ExfInterlockedRemoveHeadList]] |34 |fastcall | |- |[[Kernel/FscGetCacheSize]] |35 |stdcall | |- |[[Kernel/FscInvalidateIdleBlocks]] |36 |stdcall | |- |[[Kernel/FscSetCacheSize]] |37 |stdcall | |- |[[Kernel/HalClearSoftwareInterrupt]] |38 |fastcall | |- |[[Kernel/HalDisableSystemInterrupt]] |39 |stdcall | |- |[[Kernel/HalDiskCachePartitionCount]] |40 | |Variable: ULONG |- |[[Kernel/HalDiskModelNumber]] |41 | |Variable: STRING |- |[[Kernel/HalDiskSerialNumber]] |42 | |Variable: STRING |- |[[Kernel/HalEnableSystemInterrupt]] |43 |stdcall | |- |[[Kernel/HalGetInterruptVector]] |44 |stdcall | |- |[[Kernel/HalReadSMBusValue]] |45 |stdcall | |- |[[Kernel/HalReadWritePCISpace]] |46 |stdcall | |- |[[Kernel/HalRegisterShutdownNotification]] |47 |stdcall | |- |[[Kernel/HalRequestSoftwareInterrupt]] |48 |fastcall | |- |[[Kernel/HalReturnToFirmware]] |49 |stdcall | |- |[[Kernel/HalWriteSMBusValue]] |50 |stdcall | |- |[[Kernel/InterlockedCompareExchange]] |51 |fastcall | |- |[[Kernel/InterlockedDecrement]] |52 |fastcall | |- |[[Kernel/InterlockedIncrement]] |53 |fastcall | |- |[[Kernel/InterlockedExchange]] |54 |fastcall | |- |[[Kernel/InterlockedExchangeAdd]] |55 |fastcall | |- |[[Kernel/InterlockedFlushSList]] |56 |fastcall | |- |[[Kernel/InterlockedPopEntrySList]] |57 |fastcall | |- |[[Kernel/InterlockedPushEntrySList]] |58 |fastcall | |- |[[Kernel/IoAllocateIrp]] |59 |stdcall | |- |[[Kernel/IoBuildAsynchronousFsdRequest]] |60 |stdcall | |- |[[Kernel/IoBuildDeviceIoControlRequest]] |61 |stdcall | |- |[[Kernel/IoBuildSynchronousFsdRequest]] |62 |stdcall | |- |[[Kernel/IoCheckShareAccess]] |63 |stdcall | |- |[[Kernel/IoCompletionObjectType]] |64 | |Variable: OBJECT_TYPE |- |[[Kernel/IoCreateDevice]] |65 |stdcall | |- |[[Kernel/IoCreateFile]] |66 |stdcall | |- |[[Kernel/IoCreateSymbolicLink]] |67 |stdcall | |- |[[Kernel/IoDeleteDevice]] |68 |stdcall | |- |[[Kernel/IoDeleteSymbolicLink]] |69 |stdcall | |- |[[Kernel/IoDeviceObjectType]] |70 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFileObjectType]] |71 | |Variable: OBJECT_TYPE |- |[[Kernel/IoFreeIrp]] |72 |stdcall | |- |[[Kernel/IoInitializeIrp]] |73 |stdcall | |- |[[Kernel/IoInvalidDeviceRequest]] |74 |stdcall | |- |[[Kernel/IoQueryFileInformation]] |75 |stdcall | |- |[[Kernel/IoQueryVolumeInformation]] |76 |stdcall | |- |[[Kernel/IoQueueThreadIrp]] |77 |stdcall | |- |[[Kernel/IoRemoveShareAccess]] |78 |stdcall | |- |[[Kernel/IoSetIoCompletion]] |79 |stdcall | |- |[[Kernel/IoSetShareAccess]] |80 |stdcall | |- |[[Kernel/IoStartNextPacket]] |81 |stdcall | |- |[[Kernel/IoStartNextPacketByKey]] |82 |stdcall | |- |[[Kernel/IoStartPacket]] |83 |stdcall | |- |[[Kernel/IoSynchronousDeviceIoControlRequest]] |84 |stdcall | |- |[[Kernel/IoSynchronousFsdRequest]] |85 |stdcall | |- |[[Kernel/IofCallDriver]] |86 |fastcall | |- |[[Kernel/IofCompleteRequest]] |87 |fastcall | |- |[[Kernel/KdDebuggerEnabled]] |88 | |Variable: BOOLEAN |- |[[Kernel/KdDebuggerNotPresent]] |89 | |Variable: BOOLEAN |- |[[Kernel/IoDismountVolume]] |90 |stdcall | |- |[[Kernel/IoDismountVolumeByName]] |91 |stdcall | |- |[[Kernel/KeAlertResumeThread]] |92 |stdcall | |- |[[Kernel/KeAlertThread]] |93 |stdcall | |- |[[Kernel/KeBoostPriorityThread]] |94 |stdcall | |- |[[Kernel/KeBugCheck]] |95 |stdcall | |- |[[Kernel/KeBugCheckEx]] |96 |stdcall | |- |[[Kernel/KeCancelTimer]] |97 |stdcall | |- |[[Kernel/KeConnectInterrupt]] |98 |stdcall | |- |[[Kernel/KeDelayExecutionThread]] |99 |stdcall | |- |[[Kernel/KeDisconnectInterrupt]] |100 |stdcall | |- |[[Kernel/KeEnterCriticalRegion]] |101 |stdcall | |- |[[Kernel/MmGlobalData]] |102 | |Variable: MMGLOBALDATA |- |[[Kernel/KeGetCurrentIrql]] |103 |stdcall | |- |[[Kernel/KeGetCurrentThread]] |104 |stdcall | |- |[[Kernel/KeInitializeApc]] |105 |stdcall | |- |[[Kernel/KeInitializeDeviceQueue]] |106 |stdcall | |- |[[Kernel/KeInitializeDpc]] |107 |stdcall | |- |[[Kernel/KeInitializeEvent]] |108 |stdcall | |- |[[Kernel/KeInitializeInterrupt]] |109 |stdcall | |- |[[Kernel/KeInitializeMutant]] |110 |stdcall | |- |[[Kernel/KeInitializeQueue]] |111 |stdcall | |- |[[Kernel/KeInitializeSemaphore]] |112 |stdcall | |- |[[Kernel/KeInitializeTimerEx]] |113 |stdcall | |- |[[Kernel/KeInsertByKeyDeviceQueue]] |114 |stdcall | |- |[[Kernel/KeInsertDeviceQueue]] |115 |stdcall | |- |[[Kernel/KeInsertHeadQueue]] |116 |stdcall | |- |[[Kernel/KeInsertQueue]] |117 |stdcall | |- |[[Kernel/KeInsertQueueApc]] |118 |stdcall | |- |[[Kernel/KeInsertQueueDpc]] |119 |stdcall | |- |[[Kernel/KeInterruptTime]] |120 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeIsExecutingDpc]] |121 |stdcall | |- |[[Kernel/KeLeaveCriticalRegion]] |122 |stdcall | |- |[[Kernel/KePulseEvent]] |123 |stdcall | |- |[[Kernel/KeQueryBasePriorityThread]] |124 |stdcall | |- |[[Kernel/KeQueryInterruptTime]] |125 |stdcall | |- |[[Kernel/KeQueryPerformanceCounter]] |126 |stdcall | |- |[[Kernel/KeQueryPerformanceFrequency]] |127 |stdcall | |- |[[Kernel/KeQuerySystemTime]] |128 |stdcall | |- |[[Kernel/KeRaiseIrqlToDpcLevel]] |129 |stdcall | |- |[[Kernel/KeRaiseIrqlToSynchLevel]] |130 |stdcall | |- |[[Kernel/KeReleaseMutant]] |131 |stdcall | |- |[[Kernel/KeReleaseSemaphore]] |132 |stdcall | |- |[[Kernel/KeRemoveByKeyDeviceQueue]] |133 |stdcall | |- |[[Kernel/KeRemoveDeviceQueue]] |134 |stdcall | |- |[[Kernel/KeRemoveEntryDeviceQueue]] |135 |stdcall | |- |[[Kernel/KeRemoveQueue]] |136 |stdcall | |- |[[Kernel/KeRemoveQueueDpc]] |137 |stdcall | |- |[[Kernel/KeResetEvent]] |138 |stdcall | |- |[[Kernel/KeRestoreFloatingPointState]] |139 |stdcall | |- |[[Kernel/KeResumeThread]] |140 |stdcall | |- |[[Kernel/KeRundownQueue]] |141 |stdcall | |- |[[Kernel/KeSaveFloatingPointState]] |142 |stdcall | |- |[[Kernel/KeSetBasePriorityThread]] |143 |stdcall | |- |[[Kernel/KeSetDisableBoostThread]] |144 |stdcall | |- |[[Kernel/KeSetEvent]] |145 |stdcall | |- |[[Kernel/KeSetEventBoostPriority]] |146 |stdcall | |- |[[Kernel/KeSetPriorityProcess]] |147 |stdcall | |- |[[Kernel/KeSetPriorityThread]] |148 |stdcall | |- |[[Kernel/KeSetTimer]] |149 |stdcall | |- |[[Kernel/KeSetTimerEx]] |150 |stdcall | |- |[[Kernel/KeStallExecutionProcessor]] |151 |stdcall | |- |[[Kernel/KeSuspendThread]] |152 |stdcall | |- |[[Kernel/KeSynchronizeExecution]] |153 |stdcall | |- |[[Kernel/KeSystemTime]] |154 | |Variable: KSYSTEM_TIME |- |[[Kernel/KeTestAlertThread]] |155 |stdcall | |- |[[Kernel/KeTickCount]] |156 | |Variable: ULONG |- |[[Kernel/KeTimeIncrement]] |157 | |Variable: ULONG |- |[[Kernel/KeWaitForMultipleObjects]] |158 |stdcall | |- |[[Kernel/KeWaitForSingleObject]] |159 |stdcall | |- |[[Kernel/KfRaiseIrql]] |160 |fastcall | |- |[[Kernel/KfLowerIrql]] |161 |fastcall | |- |[[Kernel/KiBugCheckData]] |162 | |Variable: ULONG_PTR[5] |- |[[Kernel/KiUnlockDispatcherDatabase]] |163 |fastcall | |- |[[Kernel/LaunchDataPage]] |164 | |Variable: PLAUNCH_DATA_PAGE |- |[[Kernel/MmAllocateContiguousMemory]] |165 |stdcall | |- |[[Kernel/MmAllocateContiguousMemoryEx]] |166 |stdcall | |- |[[Kernel/MmAllocateSystemMemory]] |167 |stdcall | |- |[[Kernel/MmClaimGpuInstanceMemory]] |168 |stdcall | |- |[[Kernel/MmCreateKernelStack]] |169 |stdcall | |- |[[Kernel/MmDeleteKernelStack]] |170 |stdcall | |- |[[Kernel/MmFreeContiguousMemory]] |171 |stdcall | |- |[[Kernel/MmFreeSystemMemory]] |172 |stdcall | |- |[[Kernel/MmGetPhysicalAddress]] |173 |stdcall | |- |[[Kernel/MmIsAddressValid]] |174 |stdcall | |- |[[Kernel/MmLockUnlockBufferPages]] |175 |stdcall | |- |[[Kernel/MmLockUnlockPhysicalPage]] |176 |stdcall | |- |[[Kernel/MmMapIoSpace]] |177 |stdcall | |- |[[Kernel/MmPersistContiguousMemory]] |178 |stdcall | |- |[[Kernel/MmQueryAddressProtect]] |179 |stdcall | |- |[[Kernel/MmQueryAllocationSize]] |180 |stdcall | |- |[[Kernel/MmQueryStatistics]] |181 |stdcall | |- |[[Kernel/MmSetAddressProtect]] |182 |stdcall | |- |[[Kernel/MmUnmapIoSpace]] |183 |stdcall | |- |[[Kernel/NtAllocateVirtualMemory]] |184 |stdcall | |- |[[Kernel/NtCancelTimer]] |185 |stdcall | |- |[[Kernel/NtClearEvent]] |186 |stdcall | |- |[[Kernel/NtClose]] |187 |stdcall | |- |[[Kernel/NtCreateDirectoryObject]] |188 |stdcall | |- |[[Kernel/NtCreateEvent]] |189 |stdcall | |- |[[Kernel/NtCreateFile]] |190 |stdcall | |- |[[Kernel/NtCreateIoCompletion]] |191 |stdcall | |- |[[Kernel/NtCreateMutant]] |192 |stdcall | |- |[[Kernel/NtCreateSemaphore]] |193 |stdcall | |- |[[Kernel/NtCreateTimer]] |194 |stdcall | |- |[[Kernel/NtDeleteFile]] |195 |stdcall | |- |[[Kernel/NtDeviceIoControlFile]] |196 |stdcall | |- |[[Kernel/NtDuplicateObject]] |197 |stdcall | |- |[[Kernel/NtFlushBuffersFile]] |198 |stdcall | |- |[[Kernel/NtFreeVirtualMemory]] |199 |stdcall | |- |[[Kernel/NtFsControlFile]] |200 |stdcall | |- |[[Kernel/NtOpenDirectoryObject]] |201 |stdcall | |- |[[Kernel/NtOpenFile]] |202 |stdcall | |- |[[Kernel/NtOpenSymbolicLinkObject]] |203 |stdcall | |- |[[Kernel/NtProtectVirtualMemory]] |204 |stdcall | |- |[[Kernel/NtPulseEvent]] |205 |stdcall | |- |[[Kernel/NtQueueApcThread]] |206 |stdcall | |- |[[Kernel/NtQueryDirectoryFile]] |207 |stdcall | |- |[[Kernel/NtQueryDirectoryObject]] |208 |stdcall | |- |[[Kernel/NtQueryEvent]] |209 |stdcall | |- |[[Kernel/NtQueryFullAttributesFile]] |210 |stdcall | |- |[[Kernel/NtQueryInformationFile]] |211 |stdcall | |- |[[Kernel/NtQueryIoCompletion]] |212 |stdcall | |- |[[Kernel/NtQueryMutant]] |213 |stdcall | |- |[[Kernel/NtQuerySemaphore]] |214 |stdcall | |- |[[Kernel/NtQuerySymbolicLinkObject]] |215 |stdcall | |- |[[Kernel/NtQueryTimer]] |216 |stdcall | |- |[[Kernel/NtQueryVirtualMemory]] |217 |stdcall | |- |[[Kernel/NtQueryVolumeInformationFile]] |218 |stdcall | |- |[[Kernel/NtReadFile]] |219 |stdcall | |- |[[Kernel/NtReadFileScatter]] |220 |stdcall | |- |[[Kernel/NtReleaseMutant]] |221 |stdcall | |- |[[Kernel/NtReleaseSemaphore]] |222 |stdcall | |- |[[Kernel/NtRemoveIoCompletion]] |223 |stdcall | |- |[[Kernel/NtResumeThread]] |224 |stdcall | |- |[[Kernel/NtSetEvent]] |225 |stdcall | |- |[[Kernel/NtSetInformationFile]] |226 |stdcall | |- |[[Kernel/NtSetIoCompletion]] |227 |stdcall | |- |[[Kernel/NtSetSystemTime]] |228 |stdcall | |- |[[Kernel/NtSetTimerEx]] |229 |stdcall | |- |[[Kernel/NtSignalAndWaitForSingleObjectEx]] |230 |stdcall | |- |[[Kernel/NtSuspendThread]] |231 |stdcall | |- |[[Kernel/NtUserIoApcDispatcher]] |232 |stdcall | |- |[[Kernel/NtWaitForSingleObject]] |233 |stdcall | |- |[[Kernel/NtWaitForSingleObjectEx]] |234 |stdcall | |- |[[Kernel/NtWaitForMultipleObjectsEx]] |235 |stdcall | |- |[[Kernel/NtWriteFile]] |236 |stdcall | |- |[[Kernel/NtWriteFileGather]] |237 |stdcall | |- |[[Kernel/NtYieldExecution]] |238 |stdcall | |- |[[Kernel/ObCreateObject]] |239 |stdcall | |- |[[Kernel/ObDirectoryObjectType]] |240 | |Variable: OBJECT_TYPE |- |[[Kernel/ObInsertObject]] |241 |stdcall | |- |[[Kernel/ObMakeTemporaryObject]] |242 |stdcall | |- |[[Kernel/ObOpenObjectByName]] |243 |stdcall | |- |[[Kernel/ObOpenObjectByPointer]] |244 |stdcall | |- |[[Kernel/ObpObjectHandleTable]] |245 | |Variable: OBJECT_HANDLE_TABLE |- |[[Kernel/ObReferenceObjectByHandle]] |246 |stdcall | |- |[[Kernel/ObReferenceObjectByName]] |247 |stdcall | |- |[[Kernel/ObReferenceObjectByPointer]] |248 |stdcall | |- |[[Kernel/ObSymbolicLinkObjectType]] |249 | |Variable: OBJECT_TYPE |- |[[Kernel/ObfDereferenceObject]] |250 |fastcall | |- |[[Kernel/ObfReferenceObject]] |251 |fastcall | |- |[[Kernel/PhyGetLinkState]] |252 |stdcall | |- |[[Kernel/PhyInitialize]] |253 |stdcall | |- |[[Kernel/PsCreateSystemThread]] |254 |stdcall | |- |[[Kernel/PsCreateSystemThreadEx]] |255 |stdcall | |- |[[Kernel/PsQueryStatistics]] |256 |stdcall | |- |[[Kernel/PsSetCreateThreadNotifyRoutine]] |257 |stdcall | |- |[[Kernel/PsTerminateSystemThread]] |258 |stdcall | |- |[[Kernel/PsThreadObjectType]] |259 | |Variable: OBJECT_TYPE |- |[[Kernel/RtlAnsiStringToUnicodeString]] |260 |stdcall | |- |[[Kernel/RtlAppendStringToString]] |261 |stdcall | |- |[[Kernel/RtlAppendUnicodeStringToString]] |262 |stdcall | |- |[[Kernel/RtlAppendUnicodeToString]] |263 |stdcall | |- |[[Kernel/RtlAssert]] |264 |stdcall | |- |[[Kernel/RtlCaptureContext]] |265 |stdcall | |- |[[Kernel/RtlCaptureStackBackTrace]] |266 |stdcall | |- |[[Kernel/RtlCharToInteger]] |267 |stdcall | |- |[[Kernel/RtlCompareMemory]] |268 |stdcall | |- |[[Kernel/RtlCompareMemoryUlong]] |269 |stdcall | |- |[[Kernel/RtlCompareString]] |270 |stdcall | |- |[[Kernel/RtlCompareUnicodeString]] |271 |stdcall | |- |[[Kernel/RtlCopyString]] |272 |stdcall | |- |[[Kernel/RtlCopyUnicodeString]] |273 |stdcall | |- |[[Kernel/RtlCreateUnicodeString]] |274 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeChar]] |275 |stdcall | |- |[[Kernel/RtlDowncaseUnicodeString]] |276 |stdcall | |- |[[Kernel/RtlEnterCriticalSection]] |277 |stdcall | |- |[[Kernel/RtlEnterCriticalSectionAndRegion]] |278 |stdcall | |- |[[Kernel/RtlEqualString]] |279 |stdcall | |- |[[Kernel/RtlEqualUnicodeString]] |280 |stdcall | |- |[[Kernel/RtlExtendedIntegerMultiply]] |281 |stdcall | |- |[[Kernel/RtlExtendedLargeIntegerDivide]] |282 |stdcall | |- |[[Kernel/RtlExtendedMagicDivide]] |283 |stdcall | |- |[[Kernel/RtlFillMemory]] |284 |stdcall | |- |[[Kernel/RtlFillMemoryUlong]] |285 |stdcall | |- |[[Kernel/RtlFreeAnsiString]] |286 |stdcall | |- |[[Kernel/RtlFreeUnicodeString]] |287 |stdcall | |- |[[Kernel/RtlGetCallersAddress]] |288 |stdcall | |- |[[Kernel/RtlInitAnsiString]] |289 |stdcall | |- |[[Kernel/RtlInitUnicodeString]] |290 |stdcall | |- |[[Kernel/RtlInitializeCriticalSection]] |291 |stdcall | |- |[[Kernel/RtlIntegerToChar]] |292 |stdcall | |- |[[Kernel/RtlIntegerToUnicodeString]] |293 |stdcall | |- |[[Kernel/RtlLeaveCriticalSection]] |294 |stdcall | |- |[[Kernel/RtlLeaveCriticalSectionAndRegion]] |295 |stdcall | |- |[[Kernel/RtlLowerChar]] |296 |stdcall | |- |[[Kernel/RtlMapGenericMask]] |297 |stdcall | |- |[[Kernel/RtlMoveMemory]] |298 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeN]] |299 |stdcall | |- |[[Kernel/RtlMultiByteToUnicodeSize]] |300 |stdcall | |- |[[Kernel/RtlNtStatusToDosError]] |301 |stdcall | |- |[[Kernel/RtlRaiseException]] |302 |stdcall | |- |[[Kernel/RtlRaiseStatus]] |303 |stdcall | |- |[[Kernel/RtlTimeFieldsToTime]] |304 |stdcall | |- |[[Kernel/RtlTimeToTimeFields]] |305 |stdcall | |- |[[Kernel/RtlTryEnterCriticalSection]] |306 |stdcall | |- |[[Kernel/RtlUlongByteSwap]] |307 |fastcall | |- |[[Kernel/RtlUnicodeStringToAnsiString]] |308 |stdcall | |- |[[Kernel/RtlUnicodeStringToInteger]] |309 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteN]] |310 |stdcall | |- |[[Kernel/RtlUnicodeToMultiByteSize]] |311 |stdcall | |- |[[Kernel/RtlUnwind]] |312 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeChar]] |313 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeString]] |314 |stdcall | |- |[[Kernel/RtlUpcaseUnicodeToMultiByteN]] |315 |stdcall | |- |[[Kernel/RtlUpperChar]] |316 |stdcall | |- |[[Kernel/RtlUpperString]] |317 |stdcall | |- |[[Kernel/RtlUshortByteSwap]] |318 |fastcall | |- |[[Kernel/RtlWalkFrameChain]] |319 |stdcall | |- |[[Kernel/RtlZeroMemory]] |320 |stdcall | |- |[[Kernel/XboxEEPROMKey]] |321 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxHardwareInfo]] |322 | |Variable: XBOX_HARDWARE_INFO |- |[[Kernel/XboxHDKey]] |323 | |Variable: XBOX_KEY_DATA |- |[[Kernel/XboxKrnlVersion]] |324 | |Variable: XBOX_KRNL_VERSION |- |[[Kernel/XboxSignatureKey]] |325 | |Variable: XBOX_KEY_DATA; modified by active XBE Certificate |- |[[Kernel/XeImageFileName]] |326 | |Variable: OBJECT_STRING |- |[[Kernel/XeLoadSection]] |327 |stdcall | |- |[[Kernel/XeUnloadSection]] |328 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_UCHAR]] |329 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_USHORT]] |330 |stdcall | |- |[[Kernel/READ_PORT_BUFFER_ULONG]] |331 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_UCHAR]] |332 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_USHORT]] |333 |stdcall | |- |[[Kernel/WRITE_PORT_BUFFER_ULONG]] |334 |stdcall | |- |[[Kernel/XcSHAInit]] |335 |stdcall | |- |[[Kernel/XcSHAUpdate]] |336 |stdcall | |- |[[Kernel/XcSHAFinal]] |337 |stdcall | |- |[[Kernel/XcRC4Key]] |338 |stdcall | |- |[[Kernel/XcRC4Crypt]] |339 |stdcall | |- |[[Kernel/XcHMAC]] |340 |stdcall | |- |[[Kernel/XcPKEncPublic]] |341 |stdcall | |- |[[Kernel/XcPKDecPrivate]] |342 |stdcall | |- |[[Kernel/XcPKGetKeyLen]] |343 |stdcall | |- |[[Kernel/XcVerifyPKCS1Signature]] |344 |stdcall | |- |[[Kernel/XcModExp]] |345 |stdcall | |- |[[Kernel/XcDESKeyParity]] |346 |stdcall | |- |[[Kernel/XcKeyTable]] |347 |stdcall | |- |[[Kernel/XcBlockCrypt]] |348 |stdcall | |- |[[Kernel/XcBlockCryptCBC]] |349 |stdcall | |- |[[Kernel/XcCryptService]] |350 |stdcall | |- |[[Kernel/XcUpdateCrypto]] |351 |stdcall | |- |[[Kernel/RtlRip]] |352 |stdcall | |- |[[Kernel/XboxLANKey]] |353 | |Variable: XBOX_KEY_DATA; modified by active XBE Certificate |- |[[Kernel/XboxAlternateSignatureKeys]] |354 | |Variable: XBOX_KEY_DATA[XBEIMAGE_ALTERNATE_TITLE_ID_COUNT]; modified by active XBE Certificate |- |[[Kernel/XePublicKeyData]] |355 | |Variable: UCHAR[XC_PUBLIC_KEYDATA_SIZE] |- |[[Kernel/HalBootSMCVideoMode]] |356 | |Variable: ULONG |- |[[Kernel/IdexChannelObject]] |357 | |Variable: IDE_CHANNEL_OBJECT |- |[[Kernel/HalIsResetOrShutdownPending]] |358 |stdcall | |- |[[Kernel/IoMarkIrpMustComplete]] |359 |stdcall | |- |[[Kernel/HalInitiateShutdown]] |360 |stdcall | |- |[[Kernel/RtlSnprintf]] |361 |stdcall |Unused? |- |[[Kernel/RtlSprintf]] |362 |stdcall |Unused? |- |[[Kernel/RtlVsnprintf]] |363 |stdcall |Unused? |- |[[Kernel/RtlVsprintf]] |364 |stdcall |Unused? |- |[[Kernel/HalEnableSecureTrayEject]] |365 |stdcall | |- |[[Kernel/HalWriteSMCScratchRegister]] |366 |stdcall | |- | |367 | |Unused? |- | |368 | |Unused? |- | |369 | |Unused? |- |[[Kernel/XProfpControl]] |370 | |Profiling-enabled builds only! |- |[[Kernel/XProfpGetData]] |371 | |Profiling-enabled builds only! |- |[[Kernel/IrtClientInitFast]] |372 | |Profiling-enabled builds only! |- |[[Kernel/IrtSweep]] |373 | |Profiling-enabled builds only! |- |[[Kernel/MmDbgAllocateMemory]] |374 |stdcall |Devkits only! |- |[[Kernel/MmDbgFreeMemory]] |375 |stdcall |Devkits only! |- |[[Kernel/MmDbgQueryAvailablePages]] |376 |stdcall |Devkits only! |- |[[Kernel/MmDbgReleaseAddress]] |377 |stdcall |Devkits only! |- |[[Kernel/MmDbgWriteCheck]] |378 |stdcall |Devkits only! |} 4913b51349f7571f241f8e427102ae2a96539369 0 3710 6599 5275 2018-10-27T22:23:27Z JayFoxRox 2 Be more precise with HDD and DVD errors wikitext text/x-wiki These are the errors which will be displayed [[File:Fatal_Error_13.png|300px|thumb|right|Fatal Error 13 being displayed]] Checked after cold-boot, in this particular order{{FIXME|reason=We should split this into larger blocks, like HDD initalization, DVD initialization, .. and then explain the steps in each}}: {| class="wikitable" !Value (2 digit decimal) !Step / Condition |- |07 |Harddrive never left busy state (after reset from cold-boot) |- |09 |Setting Harddrive PIO mode failed |- |09 |Setting Harddrive DMA mode failed |- |08 |Harddrive ATA identify device command failed |- |09 |Harddrive is too small for cache partitions |- |06 |Unable to unlock Harddrive |- |08 |Harddrive ATA identify device after unlock command failed |- |08 |Setting Harddrive device parameters failed |- |10 |DVD Drive never left busy state (after reset from cold-boot) |- |12 |Setting DVD Drive PIO mode failed |- |12 |Setting DVD Drive DMA mode failed |- |11 |DVD Drive ATAPI identify device command failed |} Additional error codes, or no precise order known{{FIXME|reason=Figure out the order}}: {| class="wikitable" !Value (2 digit decimal) !Generic meaning |- |00 |No error (used internally to clear error flags from EEPROM) |- |01 | |- |02 |EEPROM Checksum failure |- |03 | |- |04 |RAM bad |- |05 |Harddrive not locked{{FIXME|reason=When is this actually checked?}} |- |13 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (MainMenu) |- |14 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 1</code> (Error) |- |15 | |- |16 |Dashboard settings error{{citation needed}} |- |17 | |- |18 | |- |19 | |- |20 |Dashboard failed to launch, but DVD security check was successful |- |21 |Used to manually display fatal error after reboot (on purpose) |} 850ba6c6fa9b471b553493dcbc46e29e33fb1fe6 6600 6599 2018-10-27T22:34:21Z JayFoxRox 2 Also add more information for error 5 wikitext text/x-wiki These are the errors which will be displayed [[File:Fatal_Error_13.png|300px|thumb|right|Fatal Error 13 being displayed]] Checked after cold-boot, in this particular order{{FIXME|reason=We should split this into larger blocks, like HDD initalization, DVD initialization, .. and then explain the steps in each}}: {| class="wikitable" !Value (2 digit decimal) !Step / Condition <!-- IDE / Harddive initialization --> |- |07 |Harddrive never left busy state (after reset from cold-boot) |- |09 |Setting Harddrive PIO mode failed |- |09 |Setting Harddrive DMA mode failed |- |08 |Harddrive ATA identify device command failed |- |09 |Harddrive is too small for cache partitions |- |06 |Unable to unlock Harddrive |- |08 |Harddrive ATA identify device after unlock command failed |- |08 |Setting Harddrive device parameters failed <!-- IDE / DVD Drive initialization --> |- |10 |DVD Drive never left busy state (after reset from cold-boot) |- |12 |Setting DVD Drive PIO mode failed |- |12 |Setting DVD Drive DMA mode failed |- |11 |DVD Drive ATAPI identify device command failed <!-- XBE Loader --> |- |05 |Harddrive not locked; Not reported if either: * XBE is allowed to run from unlocked HDD * Xbox is in manufacturing region * Kernel is made for Chihiro * Kernel is made for XDK |} Additional error codes, or no precise order known{{FIXME|reason=Figure out the order}}: {| class="wikitable" !Value (2 digit decimal) !Generic meaning |- |00 |No error (used internally to clear error flags from EEPROM) |- |01 | |- |02 |EEPROM Checksum failure |- |03 | |- |04 |RAM bad |- |13 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (MainMenu) |- |14 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 1</code> (Error) |- |15 | |- |16 |Dashboard settings error{{citation needed}} |- |17 | |- |18 | |- |19 | |- |20 |Dashboard failed to launch, but DVD security check was successful |- |21 |Used to manually display fatal error after reboot (on purpose) |} 158d5f68f8987a04f794c328e200ce619d0abc7b 6602 6600 2018-11-02T15:24:06Z JayFoxRox 2 Added note about lack of error code display in kernel 3944 wikitext text/x-wiki These are the errors which will be displayed [[File:Fatal_Error_13.png|300px|thumb|right|Fatal Error 13 being displayed]]. Kernel version 3944 is the only known official kernel which doesn't show an error code in the corner{{FIXME|reason=Does it still pulse the hardware pin? does it still set error code in the SMC?}}. Checked after cold-boot, in this particular order{{FIXME|reason=We should split this into larger blocks, like HDD initalization, DVD initialization, .. and then explain the steps in each}}: {| class="wikitable" !Value (2 digit decimal) !Step / Condition <!-- IDE / Harddive initialization --> |- |07 |Harddrive never left busy state (after reset from cold-boot) |- |09 |Setting Harddrive PIO mode failed |- |09 |Setting Harddrive DMA mode failed |- |08 |Harddrive ATA identify device command failed |- |09 |Harddrive is too small for cache partitions |- |06 |Unable to unlock Harddrive |- |08 |Harddrive ATA identify device after unlock command failed |- |08 |Setting Harddrive device parameters failed <!-- IDE / DVD Drive initialization --> |- |10 |DVD Drive never left busy state (after reset from cold-boot) |- |12 |Setting DVD Drive PIO mode failed |- |12 |Setting DVD Drive DMA mode failed |- |11 |DVD Drive ATAPI identify device command failed <!-- XBE Loader --> |- |05 |Harddrive not locked; Not reported if either: * XBE is allowed to run from unlocked HDD * Xbox is in manufacturing region * Kernel is made for Chihiro * Kernel is made for XDK |} Additional error codes, or no precise order known{{FIXME|reason=Figure out the order}}: {| class="wikitable" !Value (2 digit decimal) !Generic meaning |- |00 |No error (used internally to clear error flags from EEPROM) |- |01 | |- |02 |EEPROM Checksum failure |- |03 | |- |04 |RAM bad |- |13 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 0</code> (MainMenu) |- |14 |Dashboard broken, while [[Kernel/LaunchDataPage]] <code>reason == 1</code> (Error) |- |15 | |- |16 |Dashboard settings error{{citation needed}} |- |17 | |- |18 | |- |19 | |- |20 |Dashboard failed to launch, but DVD security check was successful |- |21 |Used to manually display fatal error after reboot (on purpose) |} 34304827949d84d365458c03a3eafe04bbcfa590 0 3692 6601 6550 2018-10-30T08:12:38Z Wayo 2479 /* References and links */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] 3451845fbf75db50e9c30297319c5ea58eb664c6 0 3675 6603 6266 2018-11-10T05:00:49Z DaveX 2487 fix broken link wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web.archive.org/web/20031004105935/http://developer.nvidia.com:80/object/nv30_emulation.html NV30 information and emulator] * [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf List of implemented GL extensions for NV10-NV30: "NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)", 13 Nov. 2006] 23c12abdb51d7b6d0a5d3dba91f73731ea762820 6640 6603 2018-12-29T15:59:44Z JayFoxRox 2 wikitext text/x-wiki The northbridge of the chipset, and is the GPU == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web.archive.org/web/20031004105935/http://developer.nvidia.com:80/object/nv30_emulation.html NV30 information and emulator] * [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf List of implemented GL extensions for NV10-NV30: "NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)", 13 Nov. 2006] [[Category:NV2A]] 3d82cf8272772dcfea8c57d0dcdfcbc800c8c9f7 0 3 6604 6482 2018-12-21T20:52:02Z Monocasa 2506 Replace beta archive.org with usable link wikitext text/x-wiki == Xbox Post-Mortems by developers == * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] 2ca0b958f4a7d85c4f7b47012b42d7516be3ad39 0 3703 6605 6443 2018-12-21T21:00:59Z Monocasa 2506 xbvm relied on kvm wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/Linux/Mac/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, it is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 0de03f9972ed886ad389ae7600201ebb3c72da5b 6645 6605 2019-01-05T23:11:10Z JayFoxRox 2 Yet another Xbox emulator wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 | |Windows/Linux |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] c134c0700983f9ef51c719c445f288263f57b4fb 6646 6645 2019-01-05T23:11:56Z JayFoxRox 2 (Had platform and license fields mixed for viXen) wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] a82b4f6f8a6d7f104aa87ae1c2ec130c5540a569 0 1 6606 6553 2018-12-21T21:46:27Z Espes 2484 wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] ** [[Network]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 747980a0a154edc0a7b603c5d4f23f7c29cc017a 6607 6606 2018-12-21T21:48:54Z Espes 2484 /* Historical Pages */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] ** [[Network]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 93705b7bf07994e4f34313f29ceb97987549f3da 6608 6607 2018-12-21T23:49:24Z Monocasa 2506 Add PCI top level page wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 8d7e3ab049cccb83c6536e28ad6a7d91b62f49c2 6622 6608 2018-12-27T11:17:22Z Espes 2484 wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 5d9bcc3e7fc723f284bf7407025063e5fae13640 6623 6622 2018-12-27T11:24:50Z Espes 2484 wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 6fbe8a300f4b69acea9539058118e87b422c1b78 0 3977 6609 2018-12-22T00:55:03Z Monocasa 2506 Created page with "== Overview == Most Xbox devices are ultimately exposed to the CPU via a PCI bus. PCI works by allowing individual devices to be interrogated and remapped through the physic..." wikitext text/x-wiki == Overview == Most Xbox devices are ultimately exposed to the CPU via a PCI bus. PCI works by allowing individual devices to be interrogated and remapped through the physical address space (both memory and IO space). This interrogation and configuration occurs in a special address space known as PCI Config Space. Typically an operating system scans the entire PCI Config Space at initilization time in order to map the relevant devices and load drivers. Like a lot of single purpose embedded systems, the Xbox was shipped at the point of being a minimum viable product (ie. the PCI bus is horribly broken in remarkably crazy ways). PCI Config Addresses consist of three or four hex numbers, typically in the form of BB.DD:F or BB.DD:F.RR where * BB - Bus number - 00 through FF * DD - Device Number - 00 through 1F * F - Function Number - 0 through 7 * RR - Register In PCI Config Space - 00 through FC (register access is aligned on 4 byte words) == Devices == All dumps are from a DVT4 completely booted to the official 5558 debug ROM === 00.00:0 - Host Bridge Adapter === XCodes write 7ffffff to config reg 84 pretty soon in boot (looks like part of DRAM init). 00.00:0.00: 02a510de 00.00:0.04: 00100006 00.00:0.08: 060000a1 00.00:0.0c: 00800000 00.00:0.10: 40000008 00.00:0.14: 00000000 00.00:0.18: 00000000 00.00:0.1c: 00000000 00.00:0.20: 00000000 00.00:0.24: 00000000 00.00:0.28: 00000000 00.00:0.2c: 00000000 00.00:0.30: 00000000 00.00:0.34: 00000040 00.00:0.38: 00000000 00.00:0.3c: 00000000 00.00:0.40: 00206002 00.00:0.44: 1f000217 00.00:0.48: 00000014 00.00:0.4c: 00000001 00.00:0.50: 00000000 00.00:0.54: 10000000 00.00:0.58: ffffffff 00.00:0.5c: ffffffff 00.00:0.60: 20010008 00.00:0.64: 88880120 00.00:0.68: 00000010 00.00:0.6c: 0f0f0f21 00.00:0.70: ffffffff 00.00:0.74: ffffffff 00.00:0.78: ffffffff 00.00:0.7c: ffffffff 00.00:0.80: 00000100 00.00:0.84: 07ffffff 00.00:0.88: 00000001 00.00:0.8c: 3ff6f417 00.00:0.90: 00000000 00.00:0.94: f9feffff 00.00:0.98: 00000000 00.00:0.9c: 00000000 00.00:0.a0: 00000000 00.00:0.a4: 00002001 00.00:0.a8: 00000000 00.00:0.ac: 00000000 00.00:0.b0: 00000001 00.00:0.b4: 00000000 00.00:0.b8: 00000000 00.00:0.bc: 00000000 00.00:0.c0: 00033333 00.00:0.c4: 00033333 00.00:0.c8: 00000013 00.00:0.cc: 00000000 00.00:0.d0: 00000000 00.00:0.d4: 00000001 00.00:0.d8: 07f0ffff 00.00:0.dc: 00000000 00.00:0.e0: 00400006 00.00:0.e4: 01ff75b7 00.00:0.e8: 00000000 00.00:0.ec: 00000000 00.00:0.f0: f0000001 00.00:0.f4: 00000000 00.00:0.f8: 00000000 00.00:0.fc: 00000000 BAR0: 40000008 - c0000008 - 1073741824 bytes BAR1: 0 - 0 - 0 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.00:1 & 00.00:2 - Broken Devices === Reading PCI Config Space for these devices will freeze the console. Looking at the similar nForce chipsets, it is likely that these are DRAM controllers that aren't complete. === 00.00:3 - DRAM Controller === 00.00:3.00: 02a610de 00.00:3.04: 00200000 00.00:3.08: 050000a1 00.00:3.0c: 00800000 00.00:3.10: 00000000 00.00:3.14: 00000000 00.00:3.18: 00000000 00.00:3.1c: 00000000 00.00:3.20: 00000000 00.00:3.24: 00000000 00.00:3.28: 00000000 00.00:3.2c: 00000000 00.00:3.30: 00000000 00.00:3.34: 00000000 00.00:3.38: 00000000 00.00:3.3c: 00000000 00.00:3.40: f0f0c0c0 00.00:3.44: 00c00000 00.00:3.48: 00000000 00.00:3.4c: 00000000 00.00:3.50: 00000000 00.00:3.54: 00000000 00.00:3.58: 00000000 00.00:3.5c: 04070000 00.00:3.60: 00000000 00.00:3.64: 01208001 00.00:3.68: 0000006c 00.00:3.6c: 01230801 00.00:3.70: 00000000 00.00:3.74: 00000000 00.00:3.78: 00000000 00.00:3.7c: 00000000 00.00:3.80: 00000000 00.00:3.84: 00000000 00.00:3.88: 00000000 00.00:3.8c: 00000000 00.00:3.90: 00000000 00.00:3.94: 00000000 00.00:3.98: 00000000 00.00:3.9c: 00000000 00.00:3.a0: 00000000 00.00:3.a4: 00000000 00.00:3.a8: 00000000 00.00:3.ac: 00000000 00.00:3.b0: 00000000 00.00:3.b4: 00000000 00.00:3.b8: 00000000 00.00:3.bc: 00000000 00.00:3.c0: 00000000 00.00:3.c4: 00000000 00.00:3.c8: 00000000 00.00:3.cc: 00000000 00.00:3.d0: 00000000 00.00:3.d4: 00000000 00.00:3.d8: 00000000 00.00:3.dc: 00000000 00.00:3.e0: 00000000 00.00:3.e4: 00000000 00.00:3.e8: 00000000 00.00:3.ec: 00000000 00.00:3.f0: 00000000 00.00:3.f4: 00000000 00.00:3.f8: 00000000 00.00:3.fc: 00000000 BAR0: 0 - 0 - 0 bytes BAR1: 0 - 0 - 0 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.01:0 - ISA Bridge === This is probably the LPC bus controller (LPC is just a serial version of the classic ISA bus). A lot of random system init stuff gets written here on boot, both to it's IO space, and it's config space. 00.01:0.00: 01b210de 00.01:0.04: 00b0000f 00.01:0.08: 060100b2 00.01:0.0c: 00800000 00.01:0.10: 00008001 00.01:0.14: 00000000 00.01:0.18: 00000000 00.01:0.1c: 00000000 00.01:0.20: 00000000 00.01:0.24: 00000000 00.01:0.28: 00000000 00.01:0.2c: 00000000 00.01:0.30: 00000000 00.01:0.34: 00000050 00.01:0.38: 00000000 00.01:0.3c: 00000000 00.01:0.40: 00000000 00.01:0.44: 20000000 00.01:0.48: 00000440 00.01:0.4c: 0000fdde 00.01:0.50: 01410008 00.01:0.54: 88880070 00.01:0.58: 000000a0 00.01:0.5c: 00000000 00.01:0.60: 00000400 00.01:0.64: 00000b0c 00.01:0.68: 00031000 00.01:0.6c: 0e065491 00.01:0.70: 00000000 00.01:0.74: 00000000 00.01:0.78: 00000000 00.01:0.7c: 00000000 00.01:0.80: 04001800 00.01:0.84: 00000000 00.01:0.88: 0000000f 00.01:0.8c: 48000000 00.01:0.90: 00000080 00.01:0.94: 00000000 00.01:0.98: 811ced04 00.01:0.9c: 871cc707 00.01:0.a0: 00000000 00.01:0.a4: 01500044 00.01:0.a8: 00150004 00.01:0.ac: 00070001 00.01:0.b0: 02010000 00.01:0.b4: 00010f12 00.01:0.b8: 00000000 00.01:0.bc: 01008001 00.01:0.c0: 00000000 00.01:0.c4: 00000000 00.01:0.c8: 00000000 00.01:0.cc: 00000000 00.01:0.d0: 607f7e7c 00.01:0.d4: 7c7e7c78 00.01:0.d8: 00007e7f 00.01:0.dc: 00000000 00.01:0.e0: 00000000 00.01:0.e4: 00000000 00.01:0.e8: 00000000 00.01:0.ec: 00000000 00.01:0.f0: 00000f00 00.01:0.f4: 00000000 00.01:0.f8: 00000000 00.01:0.fc: 00000000 BAR0: 8001 - ffffff01 - 256 bytes BAR1: 0 - 0 - 0 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.01:1 - SMBUS Controller === It's unknown what backs BAR0 and BAR2. BAR0 is never quite setup, and is therefor pointed to the IO ports from 00 to 0F. Cromwell interestingly writes to IO port 00 accidentally. 00.01:1.00: 01b410de 00.01:1.04: 00b00001 00.01:1.08: 0c0500b1 00.01:1.0c: 00800000 00.01:1.10: 00000001 00.01:1.14: 0000c001 00.01:1.18: 0000c201 00.01:1.1c: 00000000 00.01:1.20: 00000000 00.01:1.24: 00000000 00.01:1.28: 00000000 00.01:1.2c: 00000000 00.01:1.30: 00000000 00.01:1.34: 00000044 00.01:1.38: 00000000 00.01:1.3c: 01030100 00.01:1.40: 00000000 00.01:1.44: 00020001 00.01:1.48: 00000000 00.01:1.4c: 00000000 00.01:1.50: 00000000 00.01:1.54: 00000000 00.01:1.58: 00000000 00.01:1.5c: 00000000 00.01:1.60: 00000000 00.01:1.64: 00000000 00.01:1.68: 00000000 00.01:1.6c: 00000000 00.01:1.70: 00000000 00.01:1.74: 00000000 00.01:1.78: 00000000 00.01:1.7c: 00000000 00.01:1.80: 00000000 00.01:1.84: 00000000 00.01:1.88: 00000000 00.01:1.8c: 00000000 00.01:1.90: 00000000 00.01:1.94: 00000000 00.01:1.98: 00000000 00.01:1.9c: 00000000 00.01:1.a0: 00000000 00.01:1.a4: 00000000 00.01:1.a8: 00000000 00.01:1.ac: 00000000 00.01:1.b0: 00000000 00.01:1.b4: 00000000 00.01:1.b8: 00000000 00.01:1.bc: 00000000 00.01:1.c0: 00000000 00.01:1.c4: 00000000 00.01:1.c8: 00000000 00.01:1.cc: 00000000 00.01:1.d0: 00000000 00.01:1.d4: 00000000 00.01:1.d8: 00000000 00.01:1.dc: 00000000 00.01:1.e0: 00000000 00.01:1.e4: 00000000 00.01:1.e8: 00000000 00.01:1.ec: 00000000 00.01:1.f0: 00000000 00.01:1.f4: 00000000 00.01:1.f8: 00000000 00.01:1.fc: 00000000 BAR0: 1 - fffffff1 - 16 bytes BAR1: c001 - fffffff1 - 16 bytes BAR2: c201 - ffffffe1 - 32 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.02:0 - First OHCI controller === 00.02:0.00: 01c210de 00.02:0.04: 00b00006 00.02:0.08: 0c0310b1 00.02:0.0c: 00000000 00.02:0.10: fed00000 00.02:0.14: 00000000 00.02:0.18: 00000000 00.02:0.1c: 00000000 00.02:0.20: 00000000 00.02:0.24: 00000000 00.02:0.28: 00000000 00.02:0.2c: 00000000 00.02:0.30: 00000000 00.02:0.34: 00000044 00.02:0.38: 00000000 00.02:0.3c: 01030101 00.02:0.40: 00000000 00.02:0.44: da020001 00.02:0.48: 00000000 00.02:0.4c: 00000002 00.02:0.50: 0000000f 00.02:0.54: 00000000 00.02:0.58: 00000000 00.02:0.5c: 00000000 00.02:0.60: 00000000 00.02:0.64: 00000000 00.02:0.68: 00000000 00.02:0.6c: 00000000 00.02:0.70: 00000000 00.02:0.74: 00000000 00.02:0.78: 00000000 00.02:0.7c: 00000000 00.02:0.80: 00000000 00.02:0.84: 00000000 00.02:0.88: 00000000 00.02:0.8c: 00000000 00.02:0.90: 00000000 00.02:0.94: 00000000 00.02:0.98: 00000000 00.02:0.9c: 00000000 00.02:0.a0: 00000000 00.02:0.a4: 00000000 00.02:0.a8: 00000000 00.02:0.ac: 00000000 00.02:0.b0: 00000000 00.02:0.b4: 00000000 00.02:0.b8: 00000000 00.02:0.bc: 00000000 00.02:0.c0: 00000000 00.02:0.c4: 00000000 00.02:0.c8: 00000000 00.02:0.cc: 00000000 00.02:0.d0: 00000000 00.02:0.d4: 00000000 00.02:0.d8: 00000000 00.02:0.dc: 00000000 00.02:0.e0: 00000000 00.02:0.e4: 00000000 00.02:0.e8: 00000000 00.02:0.ec: 00000000 00.02:0.f0: 00000000 00.02:0.f4: 00000000 00.02:0.f8: 00000000 00.02:0.fc: 00000000 BAR0: fed00000 - fffff000 - 4096 bytes BAR1: 0 - 0 - 0 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.03:0 - Second OHCI Controller === 00.03:0.00: 01c210de 00.03:0.04: 00b00006 00.03:0.08: 0c0310b1 00.03:0.0c: 00000000 00.03:0.10: fed08000 00.03:0.14: 00000000 00.03:0.18: 00000000 00.03:0.1c: 00000000 00.03:0.20: 00000000 00.03:0.24: 00000000 00.03:0.28: 00000000 00.03:0.2c: 00000000 00.03:0.30: 00000000 00.03:0.34: 00000044 00.03:0.38: 00000000 00.03:0.3c: 01030109 00.03:0.40: 00000000 00.03:0.44: da020001 00.03:0.48: 00000000 00.03:0.4c: 00000003 00.03:0.50: 00000030 00.03:0.54: 00000000 00.03:0.58: 00000000 00.03:0.5c: 00000000 00.03:0.60: 00000000 00.03:0.64: 00000000 00.03:0.68: 00000000 00.03:0.6c: 00000000 00.03:0.70: 00000000 00.03:0.74: 00000000 00.03:0.78: 00000000 00.03:0.7c: 00000000 00.03:0.80: 00000000 00.03:0.84: 00000000 00.03:0.88: 00000000 00.03:0.8c: 00000000 00.03:0.90: 00000000 00.03:0.94: 00000000 00.03:0.98: 00000000 00.03:0.9c: 00000000 00.03:0.a0: 00000000 00.03:0.a4: 00000000 00.03:0.a8: 00000000 00.03:0.ac: 00000000 00.03:0.b0: 00000000 00.03:0.b4: 00000000 00.03:0.b8: 00000000 00.03:0.bc: 00000000 00.03:0.c0: 00000000 00.03:0.c4: 00000000 00.03:0.c8: 00000000 00.03:0.cc: 00000000 00.03:0.d0: 00000000 00.03:0.d4: 00000000 00.03:0.d8: 00000000 00.03:0.dc: 00000000 00.03:0.e0: 00000000 00.03:0.e4: 00000000 00.03:0.e8: 00000000 00.03:0.ec: 00000000 00.03:0.f0: 00000000 00.03:0.f4: 00000000 00.03:0.f8: 00000000 00.03:0.fc: 00000000 BAR0: fed08000 - fffff000 - 4096 bytes BAR1: 0 - 0 - 0 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.04:0 - Network Adapter === 00.04:0.00: 01c310de 00.04:0.04: 00b00007 00.04:0.08: 020000b1 00.04:0.0c: 00000000 00.04:0.10: fef00000 00.04:0.14: 0000e001 00.04:0.18: 00000000 00.04:0.1c: 00000000 00.04:0.20: 00000000 00.04:0.24: 00000000 00.04:0.28: 00000000 00.04:0.2c: 00000000 00.04:0.30: 00000000 00.04:0.34: 00000044 00.04:0.38: 00000000 00.04:0.3c: 14010104 00.04:0.40: 00000000 00.04:0.44: fe020001 00.04:0.48: 00000000 00.04:0.4c: 00000004 00.04:0.50: 00000000 00.04:0.54: 00000000 00.04:0.58: 00000000 00.04:0.5c: 00000000 00.04:0.60: 00000000 00.04:0.64: 00000000 00.04:0.68: 00000000 00.04:0.6c: 00000000 00.04:0.70: 00000000 00.04:0.74: 00000000 00.04:0.78: 00000000 00.04:0.7c: 00000000 00.04:0.80: 00000000 00.04:0.84: 00000000 00.04:0.88: 00000000 00.04:0.8c: 00000000 00.04:0.90: 00000000 00.04:0.94: 00000000 00.04:0.98: 00000000 00.04:0.9c: 00000000 00.04:0.a0: 00000000 00.04:0.a4: 00000000 00.04:0.a8: 00000000 00.04:0.ac: 00000000 00.04:0.b0: 00000000 00.04:0.b4: 00000000 00.04:0.b8: 00000000 00.04:0.bc: 00000000 00.04:0.c0: 00000000 00.04:0.c4: 00000000 00.04:0.c8: 00000000 00.04:0.cc: 00000000 00.04:0.d0: 00000000 00.04:0.d4: 00000000 00.04:0.d8: 00000000 00.04:0.dc: 00000000 00.04:0.e0: 00000000 00.04:0.e4: 00000000 00.04:0.e8: 00000000 00.04:0.ec: 00000000 00.04:0.f0: 00000000 00.04:0.f4: 00000000 00.04:0.f8: 00000000 00.04:0.fc: 00000000 BAR0: fef00000 - fffffc00 - 1024 bytes BAR1: e001 - fffffff9 - 16 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.05:0 - APU === 00.05:0.00: 01b010de 00.05:0.04: 00b00006 00.05:0.08: 040100b1 00.05:0.0c: 00000000 00.05:0.10: fe800000 00.05:0.14: 00000000 00.05:0.18: 00000000 00.05:0.1c: 00000000 00.05:0.20: 00000000 00.05:0.24: 00000000 00.05:0.28: 00000000 00.05:0.2c: 00000000 00.05:0.30: 00000000 00.05:0.34: 00000044 00.05:0.38: 00000000 00.05:0.3c: 0c010105 00.05:0.40: 00000000 00.05:0.44: 00020001 00.05:0.48: 00000000 00.05:0.4c: 0000050a 00.05:0.50: 00020001 00.05:0.54: 00020001 00.05:0.58: 00020001 00.05:0.5c: 00020001 00.05:0.60: 00020001 00.05:0.64: 00020001 00.05:0.68: 00020001 00.05:0.6c: 00020001 00.05:0.70: 00020001 00.05:0.74: 00020001 00.05:0.78: 00020001 00.05:0.7c: 00020001 00.05:0.80: 00020001 00.05:0.84: 00020001 00.05:0.88: 00020001 00.05:0.8c: 00020001 00.05:0.90: 00020001 00.05:0.94: 00020001 00.05:0.98: 00020001 00.05:0.9c: 00020001 00.05:0.a0: 00020001 00.05:0.a4: 00020001 00.05:0.a8: 00020001 00.05:0.ac: 00020001 00.05:0.b0: 00020001 00.05:0.b4: 00020001 00.05:0.b8: 00020001 00.05:0.bc: 00020001 00.05:0.c0: 00020001 00.05:0.c4: 00020001 00.05:0.c8: 00020001 00.05:0.cc: 00020001 00.05:0.d0: 00020001 00.05:0.d4: 00020001 00.05:0.d8: 00020001 00.05:0.dc: 00020001 00.05:0.e0: 00020001 00.05:0.e4: 00020001 00.05:0.e8: 00020001 00.05:0.ec: 00020001 00.05:0.f0: 00020001 00.05:0.f4: 00020001 00.05:0.f8: 00020001 00.05:0.fc: 00020001 BAR0: fe800000 - fff80000 - 524288 bytes BAR1: 0 - 0 - 0 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.06:0 - AC97-esque Controller === 00.06:0.00: 01b110de 00.06:0.04: 00b00007 00.06:0.08: 040100b1 00.06:0.0c: 00800000 00.06:0.10: 0000d001 00.06:0.14: 0000d201 00.06:0.18: fec00000 00.06:0.1c: 00000000 00.06:0.20: 00000000 00.06:0.24: 00000000 00.06:0.28: 00000000 00.06:0.2c: 00000000 00.06:0.30: 00000000 00.06:0.34: 00000044 00.06:0.38: 00000000 00.06:0.3c: 05020106 00.06:0.40: 00000000 00.06:0.44: 00020001 00.06:0.48: 00000000 00.06:0.4c: 01010106 00.06:0.50: 00000000 00.06:0.54: 00000000 00.06:0.58: 00000000 00.06:0.5c: 00000000 00.06:0.60: 00000000 00.06:0.64: 00000000 00.06:0.68: 00000000 00.06:0.6c: 00000000 00.06:0.70: 00000000 00.06:0.74: 00000000 00.06:0.78: 00000000 00.06:0.7c: 00000000 00.06:0.80: 00000000 00.06:0.84: 00000000 00.06:0.88: 00000000 00.06:0.8c: 00000000 00.06:0.90: 00000000 00.06:0.94: 00000000 00.06:0.98: 00000000 00.06:0.9c: 00000000 00.06:0.a0: 00000000 00.06:0.a4: 00000000 00.06:0.a8: 00000000 00.06:0.ac: 00000000 00.06:0.b0: 00000000 00.06:0.b4: 00000000 00.06:0.b8: 00000000 00.06:0.bc: 00000000 00.06:0.c0: 00000000 00.06:0.c4: 00000000 00.06:0.c8: 00000000 00.06:0.cc: 00000000 00.06:0.d0: 00000000 00.06:0.d4: 00000000 00.06:0.d8: 00000000 00.06:0.dc: 00000000 00.06:0.e0: 00000000 00.06:0.e4: 00000000 00.06:0.e8: 00000000 00.06:0.ec: 00000000 00.06:0.f0: 00000000 00.06:0.f4: 00000000 00.06:0.f8: 00000000 00.06:0.fc: 00000000 BAR0: d001 - ffffff01 - 256 bytes BAR1: d201 - ffffff81 - 128 bytes BAR2: fec00000 - fffff000 - 4096 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes === 00.08:0 - PCI-PCI Bridge === 00.08:0.00: 01b810de 00.08:0.04: 00a00000 00.08:0.08: 060400b1 00.08:0.0c: 00010000 00.08:0.10: 00000000 00.08:0.14: 00000000 00.08:0.18: 00000000 00.08:0.1c: 02800000 00.08:0.20: 00000000 00.08:0.24: 00000000 00.08:0.28: 00000000 00.08:0.2c: 00000000 00.08:0.30: 00000000 00.08:0.34: 00000044 00.08:0.38: 00000000 00.08:0.3c: 00000000 00.08:0.40: 00000000 00.08:0.44: 00020001 00.08:0.48: 00000000 00.08:0.4c: 00000b08 00.08:0.50: 00000d0c 00.08:0.54: 00000f0e 00.08:0.58: 00000000 00.08:0.5c: 00000000 00.08:0.60: 00000000 00.08:0.64: 00000000 00.08:0.68: 00000000 00.08:0.6c: 00000000 00.08:0.70: 00000000 00.08:0.74: 00000000 00.08:0.78: 00000000 00.08:0.7c: 00000000 00.08:0.80: 00000000 00.08:0.84: 00000000 00.08:0.88: 00000000 00.08:0.8c: 00000000 00.08:0.90: 00000000 00.08:0.94: 00000000 00.08:0.98: 00000000 00.08:0.9c: 00000000 00.08:0.a0: 00000000 00.08:0.a4: 00000000 00.08:0.a8: 00000000 00.08:0.ac: 00000000 00.08:0.b0: 00000000 00.08:0.b4: 00000000 00.08:0.b8: 00000000 00.08:0.bc: 00000000 00.08:0.c0: 00000000 00.08:0.c4: 00000000 00.08:0.c8: 00000000 00.08:0.cc: 00000000 00.08:0.d0: 00000000 00.08:0.d4: 00000000 00.08:0.d8: 00000000 00.08:0.dc: 00000000 00.08:0.e0: 00000000 00.08:0.e4: 00000000 00.08:0.e8: 00000000 00.08:0.ec: 00000000 00.08:0.f0: 00000000 00.08:0.f4: 00000000 00.08:0.f8: 00000000 00.08:0.fc: 00000000 === 00.09:0 - IDE Controller === 00.09:0.00: 01bc10de 00.09:0.04: 00b00005 00.09:0.08: 01018ab1 00.09:0.0c: 00000000 00.09:0.10: 00000000 00.09:0.14: 00000000 00.09:0.18: 00000000 00.09:0.1c: 00000000 00.09:0.20: 0000ff61 00.09:0.24: 00000000 00.09:0.28: 00000000 00.09:0.2c: 00000000 00.09:0.30: 00000000 00.09:0.34: 00000044 00.09:0.38: 00000000 00.09:0.3c: 01030000 00.09:0.40: 00000000 00.09:0.44: 00020001 00.09:0.48: 00000000 00.09:0.4c: 00000900 00.09:0.50: 00000002 00.09:0.54: 00000000 00.09:0.58: 20202020 00.09:0.5c: ffff00ff 00.09:0.60: c0c0c0c0 00.09:0.64: 00000000 00.09:0.68: 00000000 00.09:0.6c: 00000000 00.09:0.70: 00000000 00.09:0.74: 00000000 00.09:0.78: 00000000 00.09:0.7c: 00000000 00.09:0.80: 00000000 00.09:0.84: 00000000 00.09:0.88: 00000000 00.09:0.8c: 00000000 00.09:0.90: 00000000 00.09:0.94: 00000000 00.09:0.98: 00000000 00.09:0.9c: 00000000 00.09:0.a0: 00000000 00.09:0.a4: 00000000 00.09:0.a8: 00000000 00.09:0.ac: 00000000 00.09:0.b0: 00000000 00.09:0.b4: 00000000 00.09:0.b8: 00000000 00.09:0.bc: 00000000 00.09:0.c0: 00000000 00.09:0.c4: 00000000 00.09:0.c8: 00000000 00.09:0.cc: 00000000 00.09:0.d0: 00000000 00.09:0.d4: 00000000 00.09:0.d8: 00000000 00.09:0.dc: 00000000 00.09:0.e0: 00000000 00.09:0.e4: 00000000 00.09:0.e8: 00000000 00.09:0.ec: 00000000 00.09:0.f0: 00000000 00.09:0.f4: 00000000 00.09:0.f8: 00000000 00.09:0.fc: 00000000 BAR0: 0 - 0 - 0 bytes BAR1: 0 - 0 - 0 bytes BAR2: 0 - 0 - 0 bytes BAR3: 0 - 0 - 0 bytes BAR4: ff61 - fffffff1 - 16 bytes BAR5: 0 - 0 - 0 bytes === 00.1e:0 - AGP Bridge === 00.1e:0.00: 01b710de 00.1e:0.04: 02200007 00.1e:0.08: 060400a1 00.1e:0.0c: 5f016df7 00.1e:0.10: bf7e3fff 00.1e:0.14: bbfffbff 00.1e:0.18: 00010100 00.1e:0.1c: 02a000f0 00.1e:0.20: fe70fd00 00.1e:0.24: f3f0f000 00.1e:0.28: ff3fbfff 00.1e:0.2c: afff7fff 00.1e:0.30: 3efff5fd 00.1e:0.34: 00000000 00.1e:0.38: 3bdac4f7 00.1e:0.3c: 0080e7f7 00.1e:0.40: 00000001 00.1e:0.44: 80000000 00.1e:0.48: 00000014 00.1e:0.4c: 00000001 00.1e:0.50: 00000000 00.1e:0.54: 10000000 00.1e:0.58: ffffffff 00.1e:0.5c: ffffffff 00.1e:0.60: ffffffff 00.1e:0.64: ffffffff 00.1e:0.68: ffffffff 00.1e:0.6c: ffffffff 00.1e:0.70: ffffffff 00.1e:0.74: ffffffff 00.1e:0.78: ffffffff 00.1e:0.7c: ffffffff 00.1e:0.80: ffffffff 00.1e:0.84: ffffffff 00.1e:0.88: ffffffff 00.1e:0.8c: ffffffff 00.1e:0.90: ffffffff 00.1e:0.94: ffffffff 00.1e:0.98: ffffffff 00.1e:0.9c: ffffffff 00.1e:0.a0: ffffffff 00.1e:0.a4: ffffffff 00.1e:0.a8: ffffffff 00.1e:0.ac: ffffffff 00.1e:0.b0: ffffffff 00.1e:0.b4: ffffffff 00.1e:0.b8: ffffffff 00.1e:0.bc: ffffffff 00.1e:0.c0: ffffffff 00.1e:0.c4: ffffffff 00.1e:0.c8: ffffffff 00.1e:0.cc: ffffffff 00.1e:0.d0: ffffffff 00.1e:0.d4: ffffffff 00.1e:0.d8: ffffffff 00.1e:0.dc: ffffffff 00.1e:0.e0: ffffffff 00.1e:0.e4: ffffffff 00.1e:0.e8: ffffffff 00.1e:0.ec: ffffffff 00.1e:0.f0: ffffffff 00.1e:0.f4: ffffffff 00.1e:0.f8: ffffffff 00.1e:0.fc: ffffffff === 01.00:0 - NV2A GPU === 01.00:0.00: 02a010de 01.00:0.04: 02b00007 01.00:0.08: 030000a1 01.00:0.0c: 0000f800 01.00:0.10: fd000000 01.00:0.14: f0000008 01.00:0.18: 00000008 01.00:0.1c: 00000000 01.00:0.20: 00000000 01.00:0.24: 00000000 01.00:0.28: 00000000 01.00:0.2c: 00000000 01.00:0.30: 00000000 01.00:0.34: 00000060 01.00:0.38: 00000000 01.00:0.3c: 01050103 01.00:0.40: 00000000 01.00:0.44: 00200002 01.00:0.48: 1f000017 01.00:0.4c: 1f000114 01.00:0.50: 00000000 01.00:0.54: 00000001 01.00:0.58: 0023d6ce 01.00:0.5c: 0000000f 01.00:0.60: 00024401 01.00:0.64: 00000000 01.00:0.68: 00000000 01.00:0.6c: 00000000 01.00:0.70: 00000000 01.00:0.74: 00000000 01.00:0.78: 00000000 01.00:0.7c: 00000000 01.00:0.80: 2b16d065 01.00:0.84: 00000000 01.00:0.88: 00000000 01.00:0.8c: 00000000 01.00:0.90: 00000000 01.00:0.94: 00000000 01.00:0.98: 00000000 01.00:0.9c: 00000000 01.00:0.a0: 00000000 01.00:0.a4: 00000000 01.00:0.a8: 00000000 01.00:0.ac: 00000000 01.00:0.b0: 00000000 01.00:0.b4: 00000000 01.00:0.b8: 00000000 01.00:0.bc: 00000000 01.00:0.c0: 00000000 01.00:0.c4: 00000000 01.00:0.c8: 00000000 01.00:0.cc: 00000000 01.00:0.d0: 00000000 01.00:0.d4: 00000000 01.00:0.d8: 00000000 01.00:0.dc: 00000000 01.00:0.e0: 00000000 01.00:0.e4: 00000000 01.00:0.e8: 00000000 01.00:0.ec: 00000000 01.00:0.f0: 00000000 01.00:0.f4: 00000000 01.00:0.f8: 00000000 01.00:0.fc: 00000000 BAR0: fd000000 - ff000000 - 16777216 bytes BAR1: f0000008 - f8000008 - 134217728 bytes BAR2: 8 - fff80008 - 524288 bytes BAR3: 0 - 0 - 0 bytes BAR4: 0 - 0 - 0 bytes BAR5: 0 - 0 - 0 bytes 8480dab421c9d41e77c168d58a9de13e89a76036 0 3909 6610 6420 2018-12-24T05:49:43Z KaosEngineer 2482 On v1.6 hardware, added "pin 9 is" for clarity of what's disconnected. Though it is what is being written about wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | SERIRQ (v1.0) || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. On 1.6 hardware, pin 9 is disconnected. Reconnect to pin 15 to restore the supply voltage. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. On 1.3-1.5 hardware, disconnected. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. 2f519a08f4adb65f400daf44a4b6e79390150514 0 3800 6611 6490 2018-12-26T21:49:30Z JayFoxRox 2 Add unknown fields wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Unknown (Bit-offset 4; 1-bit). ** 0 = ? ** 1 = ? * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Circular ** 0xF * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits). ** 0x0 = 7 bit (all values are OR'd with 0x80) ** 0x1 = 16 bit ** 0x2 = 24 bit in MSB ** 0x3 = 32 bit (2 words per value: first word receives 24 bit, the next word only 8 bit) ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * Step size (Bit-offset 14; unknown size). ** 0 = Keeps reading from same source offset ** 1 = Reads every sample ** 2 = Reads every second sample ** ... |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || The start of the buffer. |- ! 6 | Buffer limit || The end of the buffer. For 0x1000 bytes, this has to be 0xFFF.{{FIXME|reason=Is this independent of the base?}} |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 2e9971b8af665988d4a2a166244978e4ba0be6fc 6612 6611 2018-12-27T06:25:27Z JayFoxRox 2 Provide some DMA examples and more documentation (wip) wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits). ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes 0x12,0x34,0x56,0x78 are written to words 0x920000, 0xB40000, 0xD60000, 0xF80000 *** Buffer to DSP: bytes 0x92,0xB4,0xD6,0xF8 are written to words 0x120000, 0x340000, 0x560000, 0x780000 *** DSP to buffer: words 0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF are written to bytes: 0x12,0x34,0x56,0x78 ''(Rounded down)'' *** DSP to buffer: words 0x928000, 0xB48000, 0xD68000, 0xF88000 are written to bytes: 0x13,0x35,0x57,0x79 ''(Rounded up)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes 0x34,0x12 are written to word: 0x123400 *** DSP to buffer: DSP word 0x12347F is written to bytes: 0x34,0x12 ''(Truncated)'' *** DSP to buffer: DSP word 0x123480 is written to bytes: 0x34,0x12 ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes) *** Buffer to DSP: bytes 0x00,0x56,0x34,0x12 are written to {{FIXME}} *** DSP to buffer: word 0x123456 is written to bytes: 0x00,0x56,0x34,0x12 ** 0x3 = 32 bit (2 DSP words / 4 bytes) *** Buffer to DSP: bytes 0x12,0xBC,0x9A,0x78 are written to {{FIXME}} *** DSP to buffer: words 0x123456, 0x789ABC are written to bytes: 0x12,0xBC,0x9A,0x78 ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes) *** Buffer to DSP: bytes 0x56,0x34,0x12,0x00 are written to {{FIXME}} *** DSP to buffer: word 0x123456 is written to bytes: 0x56,0x34,0x12,0x00 ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 3cbc3863323c3e42d9a0161fa242cdd5d6d9decf 6613 6612 2018-12-27T06:49:32Z JayFoxRox 2 Finish work on DMA examples wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] b0195ee9d9b50ce7df4be7bcdf2d4f8cf722ef91 6614 6613 2018-12-27T07:13:32Z JayFoxRox 2 Add example for saturation wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP24210/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 709fab4da2c13457bdd69323f4d6aa73c00bc6af 6615 6614 2018-12-27T10:29:46Z Espes 2484 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP core (DSP2410/DSP2420?). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 059d39a00bc045363cf9b43d2811bc3ffdf7e2e7 6616 6615 2018-12-27T10:45:16Z Espes 2484 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" code). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] ac1134938a800e3135b3eef4a5daeb9b175d8d01 6617 6616 2018-12-27T11:00:30Z Espes 2484 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] 9413c59c7fe73720a7cf7e7e768e226b25dfe733 6618 6617 2018-12-27T11:05:50Z Espes 2484 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] 5b3eeaa5efefb749c9ba1231a62a63dcb8182887 6624 6618 2018-12-27T19:31:13Z JayFoxRox 2 Buffer offset ignored in buffer type 0x0? wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 ** 0x1 = FIFO1 ** 0x2 = FIFO2{{citation needed}} ** 0x3 = FIFO3{{citation needed}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] 8a7de71a6b2ef034e2487bc0fba939b5a593887b 6625 6624 2018-12-27T20:05:44Z JayFoxRox 2 /* Command blocks */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP ** 1 = DSP to buffer * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0{{FIXME|reason=Confirmed for DSP to buffer [GPOF*0]; unknown for buffer to DSP}} ** 0x1 = FIFO1{{FIXME|reason=Confirmed for DSP to buffer [GPOF*1]; unknown for buffer to DSP}} ** 0x2 = FIFO2{{FIXME|reason=Confirmed for DSP to buffer [GPOF*2]; unknown for buffer to DSP}} ** 0x3 = FIFO3{{FIXME|reason=Confirmed for DSP to buffer [GPOF*3]; unknown for buffer to DSP}} ** 0x4 ** 0x5 ** 0x6 ** 0x7 ** 0x8 ** 0x9 ** 0xA ** 0xB ** 0xC ** 0xD ** 0xE = Scratch-Circular ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] 1b4d4ce94609a458e011934ea6b6adcb85748f71 6626 6625 2018-12-27T20:18:01Z JayFoxRox 2 Documented the DMA FIFO buffer ids wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP (In) ** 1 = DSP to buffer (Out) * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 (In / Out) ** 0x1 = FIFO1 (In / Out) ** 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) ** 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) ** 0x4 = ? ** 0x5 = ? ** 0x6 = ? ** 0x7 = ? ** 0x8 = ? ** 0x9 = ? ** 0xA = ? ** 0xB = ? ** 0xC = ? ** 0xD = ? ** 0xE = Scratch (Circular) ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] 38fc851baf78be7503d4e6aad7c1fa2c9231b316 6627 6626 2018-12-28T11:50:54Z JayFoxRox 2 /* Command blocks */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP (In) ** 1 = DSP to buffer (Out) * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 (In / Out) ** 0x1 = FIFO1 (In / Out) ** 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) ** 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) ** 0x4 = ? ** 0x5 = ? ** 0x6 = ? ** 0x7 = ? ** 0x8 = ? ** 0x9 = ? ** 0xA = ? ** 0xB = ? ** 0xC = ? ** 0xD = ? ** 0xE = Scratch (Circular) ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] e8e686670a50f5e59ae84519a933aef99b2c1715 6628 6627 2018-12-28T12:45:46Z JayFoxRox 2 /* DMA */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP (In) ** 1 = DSP to buffer (Out) * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 (In / Out) ** 0x1 = FIFO1 (In / Out) ** 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) ** 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) ** 0x4 = ? ** 0x5 = ? ** 0x6 = ? ** 0x7 = ? ** 0x8 = ? ** 0x9 = ? ** 0xA = ? ** 0xB = ? ** 0xC = ? ** 0xD = ? ** 0xE = Scratch (Circular) ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the address within the buffer where the first sample is accessed. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] 1f3deef76ce4c62dc2e10e42690f9352ff7dacd3 6629 6628 2018-12-28T13:09:42Z JayFoxRox 2 /* Command blocks */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP (In) ** 1 = DSP to buffer (Out) * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 (In / Out) ** 0x1 = FIFO1 (In / Out) ** 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) ** 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) ** 0x4 = ? ** 0x5 = ? ** 0x6 = ? ** 0x7 = ? ** 0x8 = ? ** 0x9 = ? ** 0xA = ? ** 0xB = ? ** 0xC = ? ** 0xD = ? ** 0xE = Scratch (Circular) ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] d714124b461af9062382977d0ff7b321d0ecc808 6630 6629 2018-12-28T13:52:51Z JayFoxRox 2 /* Command blocks */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: * Unknown (Bit-offset 0; 1-bit). ** 0 = ? ** 1 = ? * Direction (Bit-offset 1; 1-bit). ** 0 = Buffer to DSP (In) ** 1 = DSP to buffer (Out) * Unknown (Bit-offset 2; 2-bit). ** 0 = ? ** 1 = ? ** 2 = ? ** 3 = ? * Buffer offset writeback (Bit-offset 4; 1-bit). ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} ** 0 = Don't update buffer offset (Word 4) ** 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers * Buffer (Bit-offset 5; 4-bits). ** 0x0 = FIFO0 (In / Out) ** 0x1 = FIFO1 (In / Out) ** 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) ** 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) ** 0x4 = ? ** 0x5 = ? ** 0x6 = ? ** 0x7 = ? ** 0x8 = ? ** 0x9 = ? ** 0xA = ? ** 0xB = ? ** 0xC = ? ** 0xD = ? ** 0xE = Scratch (Circular) ** 0xF = Scratch * Unknown (Bit-offset 9; 1-bit). ** 0 = ? ** 1 = ? * Sample format (Bit-offset 10; 3-bits).{{FIXME|reason=Some of these need tests with signed datatypes}} ** 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' *** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> *** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> *** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' *** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' *** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' ** 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' *** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> *** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' *** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' ** 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' *** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> *** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' *** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** 0x4 = ''Transfer skipped'' ** 0x5 = ''Transfer skipped'' ** 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' *** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' ** 0x7 = ''Transfer skipped'' * Unknown (Bit-offset 13; 1-bit). ** 0 = ? ** 1 = ? * DSP address step size (Bit-offset 14; unknown size). ** Each DSP word is addressed using <code>dsp_address + sample_index * step_size</code> |- ! 2 | Transfer sample count || The number of samples to transfer. |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] b4ff01fa74442b5c4518929587de5527ddc0e4d9 6631 6630 2018-12-28T20:03:46Z JayFoxRox 2 Document interleaved mode + Formatting wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):''' <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode:{{FIXME|reason=What's the new buffer address when using buffer offset writeback?}} : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] 7ea574d102bac81888425eab7172caed134df3b9 6632 6631 2018-12-28T20:13:09Z JayFoxRox 2 /* Command blocks */ wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):''' <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode:{{FIXME|reason=What's the new buffer address when using buffer offset writeback?}} : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] ce8a6e413b5bfcd56ed2267c99344757794e4c52 6633 6632 2018-12-28T23:01:11Z JayFoxRox 2 Interleaved mode (DSP address) does not affect buffer offset writeback (Buffer offset) due to diffeent address spaces wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):''' <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode: : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular buffers, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] 4d0bdf72ae7a59d5729416bb88cee73415c39220 6634 6633 2018-12-28T23:08:16Z JayFoxRox 2 Noticed that this can only apply to scratch (FIFO is also circular, but doesn't use these fields - to my knowledge) wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):''' <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode: : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] f2527f71a4cec991bd44c7459cc71a2a7555c286 6642 6634 2018-12-29T16:03:32Z JayFoxRox 2 wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):''' <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped'' ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode: : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] [[Category:APU]] 964bfa342583191865564c56e750ee96307701ae 6644 6642 2018-12-30T04:58:52Z JayFoxRox 2 Add some FIXMEs for untested cases wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):'''{{FIXME|reason=How is addressing affected with sample format 0x3 = 32 bit words?}} <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped''{{FIXME|reason=How are negative input words affected by rounding? 0x123000 etc.}} ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode: : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] [[Category:APU]] a12d463ec37dc8fc327e27bfe68010cd39b71f9d 0 3708 6619 5254 2018-12-27T11:12:35Z Espes 2484 wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * [http://hackipedia.org/Disk%20formats/File%20systems/FATX%2C%20File%20Allocation%20Table%20%28X-Box%29/Differences_between_Xbox_FATX_and_MS-DOS_FAT.htm Differences between Xbox FATX and MS-DOS FAT] * [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] 61fd7a09d16ffab8c7a05becedb8b5180cc8e640 6621 6619 2018-12-27T11:16:18Z Espes 2484 wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * [https://web.archive.org/web/20100617022009/http://www.xbox-linux.org/wiki/Differences_between_Xbox_FATX_and_MS-DOS_FAT Differences between Xbox FATX and MS-DOS FAT] * [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] 969b043c432886c8367550f5c2e28230a496ca4c 0 3707 6620 6484 2018-12-27T11:14:04Z Espes 2484 wikitext text/x-wiki The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | N/A | Config Area | 0x00000000 | 0x00080000 | Fixed Structure | N/A |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition3 |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition4 |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition5 |- | C | System | 0x8ca80000 | 0x1f400000 | FATX | \Device\Harddisk0\Partition2 |- | E | Data | 0xabe80000 | 0x131f00000 | FATX | \Device\Harddisk0\Partition1 |} ::::::::::::::::::::::''side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"'' ::::::::::::::::::::::''and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"'' :::::::::::::::::::::::::&nbsp;&nbsp;&nbsp;''added Drive "G:" <=> "\Device\Harddisk0\Partition7"'' '''Debug/Devkit HDD:''' {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] |- |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] * [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] a70420ffe35ca74f845461692f1609991ff7aaf3 0 3687 6635 5068 2018-12-29T15:57:15Z JayFoxRox 2 Categorize wikitext text/x-wiki This article documents the attribute types which are supported by the Xbox GPU. Please take everything with a grain of salt - it's still being researched. == Draw methods == === Draw Arrays === Data uploaded through DMA. Each attribute has it's own offset and stride. Decoded using the attribute information. === Inline Buffer === Data uploaded and decoded through PGRAPH methods. ==== NV097_SET_VERTEX_DATA2F_M ... NV097_SET_VERTEX_DATA2F_M + 0x7c ==== ==== NV097_SET_VERTEX_DATA4F_M ... NV097_SET_VERTEX_DATA4F_M + 0xfc ==== ==== NV097_SET_VERTEX_DATA2S ... NV097_SET_VERTEX_DATA2S + 0x3c ==== ==== NV097_SET_VERTEX_DATA4UB ... NV097_SET_VERTEX_DATA4UB + 0x3c ==== ==== NV097_SET_VERTEX_DATA4S_M ... NV097_SET_VERTEX_DATA4S_M + 0x7c ==== === Inline Array === Data uploaded through PGRAPH method NV097_INLINE_ARRAY. The attributes are tightly packed in that buffer. Decoded using the attribute information. === Inline Elements === Same as "Draw Arrays" but with an extra index buffer. The index buffer is uploaded through PGRAPH methods NV097_ARRAY_ELEMENT16 and NV097_ARRAY_ELEMENT32. == Attribute Types == === Normalized unsigned byte (D3D) === Unsigned bytes aranged as ZYXW (BGRA) in memory (Also see [http://www.opengl.org/registry/specs/ARB/vertex_array_bgra.txt this GL extension]). This is commonly used with an attribute count of 4. FIXME: Does this still work with attribute count =/= 4 ? Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized unsigned byte (GL) === Unsigned bytes arranged as XYZW (RGBA) in memory. Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized short === Shorts, arranged as XYZW. Each short will be mapped into the range -1.0 to 1.0 FIXME: Verify === Float === IEEE-754 single precision float arranged as XYZW. FIXME: What happens to NaN or denormals? === Short === Shorts, arranged as XYZW. Each short will be mapped into the range -32768.0 to 32767.0 FIXME: Verify === Compressed normal === Each 32 bit attribute is consisting of 11 bit X, 11 bit Y, 10 bit Z. Each component is signed and will be mapped into the range -1.0 to 1.0. FIXME: Verify FIXME: Is the attribute count ignored? [[Category:NV2A]] 67d21be6e2b584d4b90daff4cb18fd3c9aea415c 0 7 6636 15 2018-12-29T15:57:37Z JayFoxRox 2 wikitext text/x-wiki == Lighting == == Skinning == [[Category:NV2A]] 4c20a74a362a40de88ac5e34e2100d8b3f5cf64d 0 9 6637 5878 2018-12-29T15:57:53Z JayFoxRox 2 wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- !Index !GL Name !D3D Name !Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- !Meaning !Word !Offset (bits) !Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- !Value !Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} == Related links == * [https://github.com/envytools/envytools/blob/master/nvhw/pgraph_celsius_xfrm.c Code which appears to implement bit-accurate emulation of some instructions]{{FIXME|reason=Unconfirmed, needs testing}} [[Category:NV2A]] 6be68285aa98e2e1d20b214f14a39aa3fd7a8f6d 0 8 6638 5513 2018-12-29T15:58:01Z JayFoxRox 2 wikitext text/x-wiki The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texturing modes == {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2tex?{{citation needed}} |DOT_PRODUCT_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf * http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf [[Category:NV2A]] 6b5f9f61201be53aa537d9440af21530a746859c 0 10 6639 18 2018-12-29T15:58:11Z JayFoxRox 2 wikitext text/x-wiki == Texture formats == == Framebuffer formats == [[Category:NV2A]] 53a4394573b46e9885ddebb2ea4dbb34d222e948 0 3799 6641 5859 2018-12-29T16:03:23Z JayFoxRox 2 wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). * SSL = Stream Segment List * SGE = Scatter Gather Entry * PRD = Physical Resource Descriptor (Same thing as SGE?!) == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate segments of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** The best approximation I could come up with so far is: <code>255*pow(0.99988799,(DECAYRATE*16-COUNT)*4096/DECAYRATE)</code>. ** When the output level (not LVL!) reaches the sustain level the decay section is over (In my example above, this happens when the output level is less than 0.2 away from the sustain level; so if sustain is 0, the voice would switch to the sustain segment when a value below 0.2 is reached) ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound APIs. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] [[Category:APU]] 893368acc244832d1445b3cb52bbf75f710f1252 0 3804 6643 5936 2018-12-29T16:03:44Z JayFoxRox 2 wikitext text/x-wiki Xbox used it's own WAV file format to encode data using [[Wikipedia:Adaptive differential pulse-code modulation|ADPCM]]. This format is often called Xbox ADPCM. Standard IMA ADPCM WAV files would use format code 0x0011, whereas Xbox ADPCM files use format-code 0x0069. There are always 1 (Mono) or 2 (Stereo) channels{{citation needed|reason=Hardware doesn't allow playing anything else probably}}. All Xbox ADPCM files seem to store 64 ADPCM input nibbles per block. This value is also stored in the 'fmt ' extra-data which is always 2 bytes, containing the Bytes <code>0x40, 0x00</code> (64 as unsigned 16-bit integer). Because of that, all Xbox ADPCM files will have a block alignment of 36 (Mono) or 72 (Stereo) Bytes. As the decoder-setup in every block contains a predictor for each channel, there will be 65 samples / channel output per block (130:36 compression ratio = 72.3% compressed). Aside from what was mentioned, there are no known differences to IMA ADPCM. This is probably because the [[APU]] VP will decode ADPCM in hardware. Microsoft probably had little control over the APU ADPCM implementation and had to stay compatible to standard ADPCM. Players supporting IMA ADPCM also support Xbox ADPCM. However, they might reject files due to the different format-code. === Block format === Same as IMA ADPCM In the following tables, the following notation is used: * All indices start at 0 * W# denotes a 32-bit word * B# denotes a Byte (8-bit) * P denotes the ADPCM predictor for the block * SI denotes the Step-Index for the block * S# denotes a sample * Background color denotes the channel: ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:SkyBlue"></div> Blue: Left = Right ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:White;"></div> White: Left ** <div style="display: inline-block; width:10px; height:10px; border:1px solid black; background-color:Tomato"></div> Red: Right ==== Mono ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" width="20%" | W0 | colspan="8" width="20%" | W1 | colspan="8" width="20%" | W2 | rowspan="3" width="5%" | ... | colspan="8" width="20%" | W8 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B32 || colspan="2" | B33 || colspan="2" | B34 || colspan="2" | B35 |- ! Meaning | style="background-color:SkyBlue;" colspan="4" | P = S0 | style="background-color:SkyBlue;" colspan="2" | SI | colspan="2" | | style="background-color:SkyBlue;" | S2 || style="background-color:SkyBlue;" | S1 | style="background-color:SkyBlue;" | S4 || style="background-color:SkyBlue;" | S3 | style="background-color:SkyBlue;" | S6 || style="background-color:SkyBlue;" | S5 | style="background-color:SkyBlue;" | S8 || style="background-color:SkyBlue;" | S7 | style="background-color:SkyBlue;" | S10 || style="background-color:SkyBlue;" | S9 | style="background-color:SkyBlue;" | S12 || style="background-color:SkyBlue;" | S11 | style="background-color:SkyBlue;" | S14 || style="background-color:SkyBlue;" | S13 | style="background-color:SkyBlue;" | S16 || style="background-color:SkyBlue;" | S15 | style="background-color:SkyBlue;" | S58 || style="background-color:SkyBlue;" | S57 | style="background-color:SkyBlue;" | S60 || style="background-color:SkyBlue;" | S59 | style="background-color:SkyBlue;" | S62 || style="background-color:SkyBlue;" | S61 | style="background-color:SkyBlue;" | S64 || style="background-color:SkyBlue;" | S63 |} ==== Stereo ==== {{FIXME|reason=Fix cell width}} {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W0 | colspan="8" | W1 | colspan="8" | W2 | colspan="8" | W3 |- ! Byte | colspan="2" | B0 || colspan="2" | B1 || colspan="2" | B2 || colspan="2" | B3 | colspan="2" | B4 || colspan="2" | B5 || colspan="2" | B6 || colspan="2" | B7 | colspan="2" | B8 || colspan="2" | B9 || colspan="2" | B10 || colspan="2" | B11 | colspan="2" | B12 || colspan="2" | B13 || colspan="2" | B14 || colspan="2" | B15 |- ! Meaning | style="background-color:White;" colspan="4" | P = S0 | style="background-color:White;" colspan="2" | SI | colspan="2" | | style="background-color:Tomato;" colspan="4" | P = S0 | style="background-color:Tomato;" colspan="2" | SI | colspan="2" | | style="background-color:White;" | S2 || style="background-color:White;" | S1 | style="background-color:White;" | S4 || style="background-color:White;" | S3 | style="background-color:White;" | S6 || style="background-color:White;" | S5 | style="background-color:White;" | S8 || style="background-color:White;" | S7 | style="background-color:Tomato;" | S2 || style="background-color:Tomato;" | S1 | style="background-color:Tomato;" | S4 || style="background-color:Tomato;" | S3 | style="background-color:Tomato;" | S6 || style="background-color:Tomato;" | S5 | style="background-color:Tomato;" | S8 || style="background-color:Tomato;" | S7 |} ... {| class="wikitable" style="font-size:90%; text-align:center;" ! 32-bit word | colspan="8" | W14 | colspan="8" | W15 | colspan="8" | W16 | colspan="8" | W17 |- ! Byte | colspan="2" | B56 || colspan="2" | B57 || colspan="2" | B58 || colspan="2" | B59 | colspan="2" | B60 || colspan="2" | B61 || colspan="2" | B62 || colspan="2" | B63 | colspan="2" | B64 || colspan="2" | B65 || colspan="2" | B66 || colspan="2" | B67 | colspan="2" | B68 || colspan="2" | B69 || colspan="2" | B70 || colspan="2" | B71 |- ! Meaning | style="background-color:White;" | S50 || style="background-color:White;" | S49 | style="background-color:White;" | S52 || style="background-color:White;" | S51 | style="background-color:White;" | S54 || style="background-color:White;" | S53 | style="background-color:White;" | S56 || style="background-color:White;" | S55 | style="background-color:Tomato;" | S50 || style="background-color:Tomato;" | S49 | style="background-color:Tomato;" | S52 || style="background-color:Tomato;" | S51 | style="background-color:Tomato;" | S54 || style="background-color:Tomato;" | S53 | style="background-color:Tomato;" | S56 || style="background-color:Tomato;" | S55 | style="background-color:White;" | S58 || style="background-color:White;" | S57 | style="background-color:White;" | S60 || style="background-color:White;" | S59 | style="background-color:White;" | S62 || style="background-color:White;" | S61 | style="background-color:White;" | S64 || style="background-color:White;" | S63 | style="background-color:Tomato;" | S58 || style="background-color:Tomato;" | S57 | style="background-color:Tomato;" | S60 || style="background-color:Tomato;" | S59 | style="background-color:Tomato;" | S62 || style="background-color:Tomato;" | S61 | style="background-color:Tomato;" | S64 || style="background-color:Tomato;" | S63 |} === Index-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 |- ! {{no-select}} | 0 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8{{hc}} |- ! {{no-select}} | 8 | -1{{hc}} || -1{{hc}} || -1{{hc}} || -1{{hc}} || 2{{hc}} || 4{{hc}} || 6{{hc}} || 8 |} === Step-Table === Same as IMA ADPCM {| class="wikitable" style="text-align: right;" ! ! {{no-select}} | +0 ! {{no-select}} | +1 ! {{no-select}} | +2 ! {{no-select}} | +3 ! {{no-select}} | +4 ! {{no-select}} | +5 ! {{no-select}} | +6 ! {{no-select}} | +7 ! {{no-select}} | +8 ! {{no-select}} | +9 |- ! {{no-select}} | 0 | 7{{hc}} || 8{{hc}} || 9{{hc}} || 10{{hc}} || 11{{hc}} || 12{{hc}} || 13{{hc}} || 14{{hc}} || 16{{hc}} || 17{{hc}} |- ! {{no-select}} | 10 | 19{{hc}} || 21{{hc}} || 23{{hc}} || 25{{hc}} || 28{{hc}} || 31{{hc}} || 34{{hc}} || 37{{hc}} || 41{{hc}} || 45{{hc}} |- ! {{no-select}} | 20 | 50{{hc}} || 55{{hc}} || 60{{hc}} || 66{{hc}} || 73{{hc}} || 80{{hc}} || 88{{hc}} || 97{{hc}} || 107{{hc}} || 118{{hc}} |- ! {{no-select}} | 30 | 130{{hc}} || 143{{hc}} || 157{{hc}} || 173{{hc}} || 190{{hc}} || 209{{hc}} || 230{{hc}} || 253{{hc}} || 279{{hc}} || 307{{hc}} |- ! {{no-select}} | 40 | 337{{hc}} || 371{{hc}} || 408{{hc}} || 449{{hc}} || 494{{hc}} || 544{{hc}} || 598{{hc}} || 658{{hc}} || 724{{hc}} || 796{{hc}} |- ! {{no-select}} | 50 | 876{{hc}} || 963{{hc}} || 1060{{hc}} || 1166{{hc}} || 1282{{hc}} || 1411{{hc}} || 1552{{hc}} || 1707{{hc}} || 1878{{hc}} || 2066{{hc}} |- ! {{no-select}} | 60 | 2272{{hc}} || 2499{{hc}} || 2749{{hc}} || 3024{{hc}} || 3327{{hc}} || 3660{{hc}} || 4026{{hc}} || 4428{{hc}} || 4871{{hc}} || 5358{{hc}} |- ! {{no-select}} | 70 | 5894{{hc}} || 6484{{hc}} || 7132{{hc}} || 7845{{hc}} || 8630{{hc}} || 9493{{hc}} || 10442{{hc}} || 11487{{hc}} || 12635{{hc}} || 13899{{hc}} |- ! {{no-select}} | 80 | 15289{{hc}} || 16818{{hc}} || 18500{{hc}} || 20350{{hc}} || 22385{{hc}} || 24623{{hc}} || 27086{{hc}} || 29794{{hc}} || 32767 || |} === Algorithm === The algorithms for encoding and decoding are the same as IMA ADPCM. For an example implementation and an explanation, refer to the related links. == Related links == * [https://wiki.multimedia.cx/index.php/IMA_ADPCM Explanation of IMA ADPCM algorithms ] * [https://wiki.multimedia.cx/index.php/Microsoft_IMA_ADPCM Explanation of IMA ADPCM WAV storage] * [https://github.com/JayFoxRox/xbox-tools/tree/master/adpcm-decoder Tool to decode Xbox ADPCM files] * [http://samples.ffmpeg.org/game-formats/xbox-adpcm-wav/ Sample files by FFmpeg] [[Category:APU]] 08f6cc43a75639b7ccab95ad88707e9af771a0f2 0 3700 6647 6290 2019-01-11T03:16:42Z Mborgerson 2478 Add a table containing info on which adapters are known to work well with Kreon drives. wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA | |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D (<code>H/W:A Ver.D JULY 2007</code>) | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] c0c00af679a4d8ef10f0bd18ee837158d03df98b 6648 6647 2019-01-11T03:23:32Z Mborgerson 2478 wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA | |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 4991ad1f559acb851851052a17698526493a577e 0 3978 6649 2019-01-17T05:49:59Z Fisherman166 2497 Add binary division algorithm wikitext text/x-wiki RtlExtendedLargeIntegerDivide will call RtlRaiseStatus(STATUS_INTEGER_DIVIDE_BY_ZERO) if Divisor = 0. Otherwise, a custom binary division algorithm is used to perform the divide operation. The algorithm below was reverse engineered from original hardware. LARGE_INTEGER quotient = Dividend; ULONG local_remainder = 0; BOOLEAN carry, remainder_carry; for (uint8_t i = 64; i > 0; i--) { carry = (quotient.QuadPart >> 63) & 0x1; remainder_carry = (local_remainder >> 31) & 0x1; quotient.QuadPart <<= 1; local_remainder = (local_remainder << 1) | carry; if (remainder_carry || (local_remainder >= Divisor)) { quotient.u.LowPart += 1; local_remainder -= Divisor; } } if (Remainder) { *Remainder = local_remainder; } 888bc47ac22e29317b2dd5d268f3dbe0ac235e76 6650 6649 2019-01-17T05:51:20Z Fisherman166 2497 wikitext text/x-wiki RtlExtendedLargeIntegerDivide will call RtlRaiseStatus(STATUS_INTEGER_DIVIDE_BY_ZERO) if Divisor = 0. Otherwise, a custom binary division algorithm is used to perform the divide operation. The algorithm below was reverse engineered from original hardware. LARGE_INTEGER quotient = Dividend; ULONG local_remainder = 0; BOOLEAN carry, remainder_carry; for (uint8_t i = 64; i > 0; i--) { carry = (quotient.QuadPart >> 63) & 0x1; remainder_carry = (local_remainder >> 31) & 0x1; quotient.QuadPart <<= 1; local_remainder = (local_remainder << 1) | carry; if (remainder_carry || (local_remainder >= Divisor)) { quotient.u.LowPart += 1; local_remainder -= Divisor; } } if (Remainder) { *Remainder = local_remainder; } ebae80e96085e2dca9166f2ab314e15f504cf655 2 3979 6651 2019-01-22T01:48:14Z Master-bob 2507 Created page with "The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''" wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM''' 67579acba025004fd26e476e10346b56c0cc9c3e 6653 6651 2019-01-22T02:36:04Z Master-bob 2507 wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: // TODO: Add code ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REPs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' f7569ec5ffea4b47765b4ce5548b1e9f7ea71599 6654 6653 2019-01-22T02:36:59Z Master-bob 2507 /* PA-PAC-REQUEST-EX */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: // TODO: Add code ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' 779550764ddb3db805e373861313c7725fe956c1 6655 6654 2019-01-22T02:40:38Z Master-bob 2507 /* PA-PAC-REQUEST-EX */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: // TODO: Add code ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' 66bca1616f4186f84c7a7b43d9768f6c205d5d89 6656 6655 2019-01-22T02:46:59Z Master-bob 2507 wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: // TODO: Add code ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== ==AS-REP== a7c2b702be8c0aaffffdf4cfc3347666ff9a4b0a 6657 6656 2019-01-22T03:05:22Z Master-bob 2507 /* Nonce HMAC Key */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: // TODO: Add code ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1203) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the signature from the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key if both signatures match, the key was generated correctly ==AS-REP== c7b52bf2b1e18c8d6eb4fdabf5827f6c1f5e035f 6658 6657 2019-01-22T03:05:48Z Master-bob 2507 /* Nonce HMAC Key */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: // TODO: Add code ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1203) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== f123fccb4f4e266ac7fe447c13776fd0ffe908d6 6659 6658 2019-01-22T03:15:36Z Master-bob 2507 /* Nonce HMAC Key */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: // TODO: Add code ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== 647599755e592560ee38cbd93734f6ab0e6eb526 6660 6659 2019-01-22T03:23:15Z Master-bob 2507 /* Online Key */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The following algorithm is used to decrypt it: rc4_key = HMAC-SHA1 of the hdd_key using "60 59 E8 2E DF BF 7F D3 23 35 74 2A 64 8B B1 2C" decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== 7e3c8a80015eb83efef4783b933fb6e6940b115f 6661 6660 2019-01-22T03:23:54Z Master-bob 2507 /* PA-ENC-TIMESTAMP */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using "60 59 E8 2E DF BF 7F D3 23 35 74 2A 64 8B B1 2C" decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed for. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== 4e0f86488d3894473181af982719eb0910cf1f3a 6662 6661 2019-01-22T03:26:56Z Master-bob 2507 /* PA-XBOX-PRE-PRE-AUTH */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using "60 59 E8 2E DF BF 7F D3 23 35 74 2A 64 8B B1 2C" decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== 5d99575f48afe4fc4661cb58d51819ab4792df36 6663 6662 2019-01-22T03:56:18Z Master-bob 2507 wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== 210f38431a392864ecc757e53dc00833b47722c3 6664 6663 2019-01-22T04:11:36Z Master-bob 2507 /* The Machine Account */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== 855ed2e6820083bb9082fbe4bf4635d57db241bd 6665 6664 2019-01-22T04:12:58Z Master-bob 2507 /* The Machine Account */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 presumably correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, but I'm not sure about that. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== 99c4a33fe84c608ad39198a5a71abea74ae0ffcb 6666 6665 2019-01-22T04:22:36Z Master-bob 2507 /* PA-PAC-REQUEST-EX */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== edac6a92715344791769363ff0210abf56f88aea 6667 6666 2019-01-22T04:24:15Z Master-bob 2507 /* PA-PAC-REQUEST-EX */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to a custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ==AS-REP== d85c88ed640fd43a6165157ad60354461b325a7b 6668 6667 2019-01-22T04:35:46Z Master-bob 2507 /* Building the Response */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to a custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ===Encryption=== The machine account is encrypted with the nonce HMAC key and salt 1203 using RC4-HMAC-MD5. The encrypted bytes are packed as a Kerberos EncrpytedData object into a PA-DATA TYPE 203 preauthentication header in the AS-REP. ==AS-REP== 58afcb241f27dd78e7b07c62877d2a5f541190b4 6669 6668 2019-01-22T04:38:40Z Master-bob 2507 /* PA-ENC-TIMESTAMP */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: // decrypt the EEPROM to get the correct hdd key rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to a custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ===Encryption=== The machine account is encrypted with the nonce HMAC key and salt 1203 using RC4-HMAC-MD5. The encrypted bytes are packed as a Kerberos EncrpytedData object into a PA-DATA TYPE 203 preauthentication header in the AS-REP. ==AS-REP== e6e6e8dad01070433737449784580427beacad1a 6670 6669 2019-01-22T04:39:18Z Master-bob 2507 /* PA-XBOX-CLIENT-VERSION */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: // decrypt the EEPROM to get the correct hdd key rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to a custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 - Xbox Live Dashboard 5849 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key md5_ctx = MD5 of the salt (1026) as a ULONG and the nonce as a DWORD nonce_hmac_key = MD5-HMAC of md5_ctx using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ===Encryption=== The machine account is encrypted with the nonce HMAC key and salt 1203 using RC4-HMAC-MD5. The encrypted bytes are packed as a Kerberos EncrpytedData object into a PA-DATA TYPE 203 preauthentication header in the AS-REP. ==AS-REP== 844acfff79e3cdbcf6709d0e2eecf658a0bcb32b 6673 6670 2019-01-23T04:18:58Z Master-bob 2507 /* Nonce HMAC Key */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: // decrypt the EEPROM to get the correct hdd key rc4_key = HMAC-SHA1 of the hdd_key using a magical key decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to a custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT - computed as follows ** SPPA1 - SHA1(PPA1) ** PPA2 - First 8 bytes of SHA1-HMAC of PrincipalName appended to PrincipalName using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 - Xbox Live Dashboard 5849 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * '''nonce - a randomly generated number''' * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG userID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key salted_nonce = MD5 of "02 04 00 00 00 00 00 00" nonce_hmac_key = MD5-HMAC of salted_nonce using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ===Encryption=== The machine account is encrypted with the nonce HMAC key and salt 1203 using RC4-HMAC-MD5. The encrypted bytes are packed as a Kerberos EncrpytedData object into a PA-DATA TYPE 203 preauthentication header in the AS-REP. ==AS-REP== d23ea565c121a870805af4fe9e1c56b92da69431 6674 6673 2019-01-23T16:20:37Z Master-bob 2507 wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: // decrypt the EEPROM to get the correct hdd key rc4_key = SHA1-HMAC of the hdd_key using "60 59 E8 2E DF BF 7F D3 23 35 74 2A 64 8B B1 2C" decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to a custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response. Not sure if it's actually needed for AS-REP. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT ** SPPA1 - SHA1 of PPA1 ** PPA2 - First 8 bytes of SHA1-HMAC of ths serial number appended to the serial number using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** Xbox Live Dashboard 5849 - XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos ticket. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * nonce - a randomly generated number * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG uniqueID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key salted_nonce = "5F F3 28 92 13 8C 9C 4B 05 84 9A 3C 10 1A DB 5D" // MD5 of "02 04 00 00 00 00 00 00" nonce_hmac_key = MD5-HMAC of salted_nonce using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ===Encryption=== The machine account is encrypted with the nonce HMAC key and salt 1203 using RC4-HMAC-MD5. The encrypted bytes are packed as a Kerberos EncryptedData object into a PA-DATA TYPE 203 preauthentication header in the AS-REP. ==AS-REP== 85ad3ecdc545c37ed42ae72e7d6b9b653772c28d 6675 6674 2019-01-23T16:23:33Z Master-bob 2507 /* REQ-BODY */ wikitext text/x-wiki The first step of Xbox Live authentication is connecting to the '''Machine Account Creation Service''', located at '''MACS.XBOXLIVE.COM'''. The Xbox would only connect to MACS once, the first time the console ever connected to Xbox Live. MACS was presumably used to keep banned consoles off of Xbox Live, and is still used to this day for Xbox 360s. The MACS exchange, like the majority of Xbox Live authentication, is done using the Kerberos system. ==AS-REQ== The first step of MACS authentication is sending an AS-REQ to MACS.XBOXLIVE.COM on UDP port 88. The AS-REQ is composed of several components. *PVNO and MSG TYPE - These have default values of 5 (Kerberos version 5) and 10 (krb-as-req), respectively. ===PADATA=== Pre authentication data (PADATA) contains most of what makes this request unique from other Kerberos systems. ====PA-ENC-TIMESTAMP==== PA-DATA TYPE 2 An official part of the Kerberos standard, this is a Unix timestamp encrypted with the later defined encryption standard (in Xbox's case, RC4-HMAC-MD5). The server attempts to decrypt this to confirm that the client is using the correct password. For MACS, the password is the console's '''Online Key''', which Microsoft stored server side on a very well guarded database. =====Online Key===== The online key is stored in an encrypted form on the Xbox's [[EEPROM]]. The key is decrypted using: // decrypt the EEPROM to get the correct hdd key rc4_key = SHA1-HMAC of the hdd_key using "60 59 E8 2E DF BF 7F D3 23 35 74 2A 64 8B B1 2C" decrypted_online_key = rc4 of online_key using rc4_key ====PA-PAC-REQUEST-EX==== PA-DATA TYPE 131 This is an Xbox modification to a custom Microsoft (PA-PAC-REQUEST) addition to Kerberos, used to define what the client expects in the response. This is encoded in ASN.1 (method of packing data structures into bytes, used by Kerberos). All AS-REQs contain the following data in this section: SEQUENCE (2 elem) [0] (1 elem) BOOLEAN true [1] (1 elem) SEQUENCE (2 elem) INTEGER 13 INTEGER 14 13 and 14 correlate to PAC_CLIENT_IDENTITY and PAC_COMPOUND_IDENTITY, respectively, and are used to tell the server to include a PUID PAC (20) in the response. Not sure if it's actually needed for AS-REP. ====PA-XBOX-PRE-PRE-AUTH==== PA-DATA TYPE 204 This is a custom preauthentication header that was used by Microsoft to quickly look up Xbox information from their database and is probably not needed. Contains the following: * currentTime - the current time, sent as a FILETIME * PPA1 - SHA1-HMAC of the principal name (the Xbox serial number) using the principal key (the online key) * SPPA2atT ** SPPA1 - SHA1 of PPA1 ** PPA2 - First 8 bytes of SHA1-HMAC of ths serial number appended to the serial number using the principal key ** SPPA2atT - SHA1 of PPA2 appended to the current time ====PA-XBOX-CLIENT-VERSION==== PA-DATA TYPE 206 This is a custom preauthentication header and arguably the most important for MACS authentication from a homebrew perspective. Contains the following: * signature - a 20 byte array used to verify the encryption key generated for the response * version - null terminated string with information about the application sending the request ** Xbox Live Dashboard 5849 - XboxVersion=1.00.5849.3 Title=0xFFFE0000 TitleVersion=408857856 ===REQ-BODY=== The remainder of the Kerberos request. '''Bold''' indicates the data are used for response building. * Padding - 0 * KDC-Options - 0b00010000 (canonicalize) * '''cname - the serial number of the Xbox''' * realm - MACS.XBOX.COM * sname - krbtgt@MACS.XBOX.COM * till - 2037-09-13 02:48:05 (UTC) * nonce - a randomly generated number * '''etype - RC4-HMAC-MD5''' ==Building the Response== The server must generate a valid machine account and encrypt it using the correct key. ===The Machine Account=== The following is how the machine account is built ''for transfer''. It is stored in a different fashion. ULONGLONG uniqueID; CHAR gamertag[16]; // SN.XXXXXXXXXXXX (the console serial number) CHAR domain[20]; // xbox.com CHAR realm[24]; // passport.net BYTE key[16]; ===Nonce HMAC Key=== The nonce HMAC key, used to encrypt the machine account, is computed as follows: temp_key = MD5-HMAC of the null terminated string "signaturekey" using the online key salted_nonce = "5F F3 28 92 13 8C 9C 4B 05 84 9A 3C 10 1A DB 5D" // MD5 of "02 04 00 00 00 00 00 00" nonce_hmac_key = MD5-HMAC of salted_nonce using temp_key The key can be verified using the PA-XBOX-CLIENT-VERSION preauth: test_signature = SHA1-HMAC of the version_string using the nonce_hmac_key // if both signatures match, the key was generated correctly ===Encryption=== The machine account is encrypted with the nonce HMAC key and salt 1203 using RC4-HMAC-MD5. The encrypted bytes are packed as a Kerberos EncryptedData object into a PA-DATA TYPE 203 preauthentication header in the AS-REP. ==AS-REP== cee24568599e3bbb2a3f55ee14f688627b418886 2 3980 6652 2019-01-22T01:48:20Z Master-bob 2507 Created page with "The following are links to my research on Xbox Live * [[User:Master-bob/MACS|Machine Account Creation Service (MACS)]]" wikitext text/x-wiki The following are links to my research on Xbox Live * [[User:Master-bob/MACS|Machine Account Creation Service (MACS)]] d0e8689cec8447c8161df01af3d38d876068689f 0 3687 6671 6635 2019-01-22T23:11:53Z Mborgerson 2478 wikitext text/x-wiki This article documents the attribute types which are supported by the Xbox GPU. Please take everything with a grain of salt - it's still being researched. == Draw methods == === Draw Arrays === Data uploaded through DMA. Each attribute has it's own offset and stride. Decoded using the attribute information. === Inline Buffer === Data uploaded and decoded through PGRAPH methods. ==== NV097_SET_VERTEX_DATA2F_M ... NV097_SET_VERTEX_DATA2F_M + 0x7c ==== ==== NV097_SET_VERTEX_DATA4F_M ... NV097_SET_VERTEX_DATA4F_M + 0xfc ==== ==== NV097_SET_VERTEX_DATA2S ... NV097_SET_VERTEX_DATA2S + 0x3c ==== Vertex attribute values provided via NV097_SET_VERTEX_DATA2S are apparently two 16-bit signed integers, packed into 32 bits, which are then to be directly mapped to floating point values in the range [-32768.0, 32767.0]. ==== NV097_SET_VERTEX_DATA4UB ... NV097_SET_VERTEX_DATA4UB + 0x3c ==== ==== NV097_SET_VERTEX_DATA4S_M ... NV097_SET_VERTEX_DATA4S_M + 0x7c ==== === Inline Array === Data uploaded through PGRAPH method NV097_INLINE_ARRAY. The attributes are tightly packed in that buffer. Decoded using the attribute information. === Inline Elements === Same as "Draw Arrays" but with an extra index buffer. The index buffer is uploaded through PGRAPH methods NV097_ARRAY_ELEMENT16 and NV097_ARRAY_ELEMENT32. == Attribute Types == === Normalized unsigned byte (D3D) === Unsigned bytes aranged as ZYXW (BGRA) in memory (Also see [http://www.opengl.org/registry/specs/ARB/vertex_array_bgra.txt this GL extension]). This is commonly used with an attribute count of 4. FIXME: Does this still work with attribute count =/= 4 ? Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized unsigned byte (GL) === Unsigned bytes arranged as XYZW (RGBA) in memory. Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized short === Shorts, arranged as XYZW. Each short will be mapped into the range -1.0 to 1.0 FIXME: Verify === Float === IEEE-754 single precision float arranged as XYZW. FIXME: What happens to NaN or denormals? === Short === Shorts, arranged as XYZW. Each short will be mapped into the range -32768.0 to 32767.0 FIXME: Verify === Compressed normal === Each 32 bit attribute is consisting of 11 bit X, 11 bit Y, 10 bit Z. Each component is signed and will be mapped into the range -1.0 to 1.0. FIXME: Verify FIXME: Is the attribute count ignored? [[Category:NV2A]] f25c773f2b9abc5200698b1278643a42e588affe 6672 6671 2019-01-22T23:32:19Z JayFoxRox 2 Markup for FIXME wikitext text/x-wiki This article documents the attribute types which are supported by the Xbox GPU. Please take everything with a grain of salt - it's still being researched. == Draw methods == === Draw Arrays === Data uploaded through DMA. Each attribute has it's own offset and stride. Decoded using the attribute information. === Inline Buffer === Data uploaded and decoded through PGRAPH methods. ==== NV097_SET_VERTEX_DATA2F_M ... NV097_SET_VERTEX_DATA2F_M + 0x7c ==== ==== NV097_SET_VERTEX_DATA4F_M ... NV097_SET_VERTEX_DATA4F_M + 0xfc ==== ==== NV097_SET_VERTEX_DATA2S ... NV097_SET_VERTEX_DATA2S + 0x3c ==== Vertex attribute values provided via NV097_SET_VERTEX_DATA2S are apparently two 16-bit signed integers, packed into 32 bits, which are then to be directly mapped to floating point values in the range [-32768.0, 32767.0]. ==== NV097_SET_VERTEX_DATA4UB ... NV097_SET_VERTEX_DATA4UB + 0x3c ==== ==== NV097_SET_VERTEX_DATA4S_M ... NV097_SET_VERTEX_DATA4S_M + 0x7c ==== === Inline Array === Data uploaded through PGRAPH method NV097_INLINE_ARRAY. The attributes are tightly packed in that buffer. Decoded using the attribute information. === Inline Elements === Same as "Draw Arrays" but with an extra index buffer. The index buffer is uploaded through PGRAPH methods NV097_ARRAY_ELEMENT16 and NV097_ARRAY_ELEMENT32. == Attribute Types == === Normalized unsigned byte (D3D) === Unsigned bytes aranged as ZYXW (BGRA) in memory (Also see [http://www.opengl.org/registry/specs/ARB/vertex_array_bgra.txt this GL extension]). This is commonly used with an attribute count of 4{{FIXME|reason=Does this still work with attribute count =/= 4 ?}}. Each byte will be mapped into the range{{FIXME|reason=Verify}} 0.0 to 1.0. === Normalized unsigned byte (GL) === Unsigned bytes arranged as XYZW (RGBA) in memory. Each byte will be mapped into the range 0.0 to 1.0. FIXME: Verify === Normalized short === Shorts, arranged as XYZW. Each short will be mapped into the range -1.0 to 1.0 FIXME: Verify === Float === IEEE-754 single precision float arranged as XYZW. FIXME: What happens to NaN or denormals? === Short === Shorts, arranged as XYZW. Each short will be mapped into the range -32768.0 to 32767.0 FIXME: Verify === Compressed normal === Each 32 bit attribute is consisting of 11 bit X, 11 bit Y, 10 bit Z. Each component is signed and will be mapped into the range -1.0 to 1.0. FIXME: Verify FIXME: Is the attribute count ignored? [[Category:NV2A]] bae4d78c4d427e704e20b98882399abc97be9434 1 3981 6676 2019-01-24T10:48:04Z PatrickvL 2473 Created page with "How about adding haxar's xexec? Even though it's withdrawn from github, it did exist and could still be retrieved by some." wikitext text/x-wiki How about adding haxar's xexec? Even though it's withdrawn from github, it did exist and could still be retrieved by some. 74dd1ce76d21bee72e7b745f72ae60c644e045a0 0 3703 6677 6646 2019-01-24T12:09:12Z PatrickvL 2473 Added xexec and MacBox wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/MacOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |xexec |[http://xboxdevwiki.net/User:Haxar/NV2A] |Haxar |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |MacOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 3730c5f8d90fec1a5540ddeab42d3710cda0eb0a 6678 6677 2019-01-24T12:10:30Z PatrickvL 2473 Changed link to haxar wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/MacOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |MacOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] | |MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] ed331fe41f53ef7fa75a0c4618422c16ddd5fbaf 6679 6678 2019-01-24T12:19:34Z PatrickvL 2473 Updated MAME initiator and links wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/MacOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |MacOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/dettaglio_mame.php?game_name=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 6518fa23d05a8c5f814fb7d7d2c00e791c39ed18 6680 6679 2019-01-24T12:20:51Z PatrickvL 2473 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/MacOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |MacOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |Mac | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/Linux/Mac/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 88d20d224f5c7ee2f3587fa549c326b4cbba3278 6681 6680 2019-01-25T09:20:34Z JayFoxRox 2 The OS is called macOS. Also focus was on HLE for xexec, so name it first. wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}} |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 4e70e4c4438586e886ffef85d2086d460d04b68e 6682 6681 2019-01-25T09:25:13Z JayFoxRox 2 Add Xbox link to MAME wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] | |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 7e65979dcad1fc20b4c582934d4881a9fed014bc 6685 6682 2019-01-25T17:24:30Z PatrickvL 2473 Added link to XBENext wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] f656e04552a38aedfeabfad7d72543d4e9c13d6f 6686 6685 2019-01-30T13:05:51Z JayFoxRox 2 Use standard templates if available wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Yes|Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{No|Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{No|Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Yes|Maintained}} |LLE/HLE Hybrid |{{No}} |viXen |[https://github.com/StrikerX3/viXen] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{No|Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{No|Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{No|Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Yes|Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{No|Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{No|Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Yes|Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] c74ce78c0d2fc8a6897870da5f2817f5c340daed 6696 6686 2019-03-01T01:22:41Z StrikerX3 2510 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Yes|Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{No|Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{No|Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Yes|Maintained}} |LLE/HLE Hybrid |{{No}} |StrikeBox |[https://github.com/StrikerX3/StrikeBox] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{No|Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{No|Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{No|Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Yes|Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{No|Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{No|Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Yes|Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 348ce44e1f9d8559e094b83c5e30e083caeca1d5 0 3765 6683 5731 2019-01-25T09:59:09Z Dans34 2508 Slight AMD Heritage correction wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/NForce}} This documents collects information about the Xbox chipset and its sibling, the nVidia nForce chipset, as well as further relatives. == nForce == The nForce chipset consists of the IGP (Integrated Graphics Processor) Northbridge and the MCP (Media and Communications Processor) Southbridge. Both are available in different flavours: * IGP-64: 64 bit memory bus * IGP-128: 128 bit memory bus (TwinBank), requires two DIMM modules for 128 bit operation * MCP-D: includes Dolby Digital encoder * MCP: Dolby Digital encoder disabled So these are the four possible combinations: {| class="wikitable" |- | | MCP | MCP-D |- | IGP-64 | nForce 220 | nForce 220D |- | IGP-128 | nForce 420 | nForce 420D |} [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/05/31/nvidia_crush_chipset_named_nforce/] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/06/01/nvidia_crush_is_called_nforce/] The VGA controller inside the IGP is a "GeForce2 MX Integrated Graphics" (PCI ID:10de/01a0). Its internal name is NV1A. [https://web.archive.org/web/20100617023830/http://pciids.sourceforge.net/iii/?i=10de] [https://web.archive.org/web/20100617023830/http://www.nvitalia.com/articoli/editoriali/produzione_nvidia_2001.htm] Although IGP-64 and IGP-128 are different and their respective chipsets have different codenames (Crush11 and Crush12, see below), there seems to be no difference from the software side: * The VGA BIOS of the MS-6367 mainboard (nForce 420D configuration, i.e. Crush12) has the internal name "CR11BT.ROM". It also includes the strings "NVIDIA GeForce2 Integrated GPU", "CR11 Board" and "Chip Rev B2". * The PCI IDs seem to be the same for the GPUs inside IGP-64 and IGP-128. == Crush == "Crush" was the codename of the nForce chipset. Crush11 is the nForce 220/220D/230/230-T, Crush12 is the nForce 420/420D/430/430-T, and Crush18 is the nForce2. The "11" probably derives from "NV11", the internal name of the GeForce2 MX. [https://web.archive.org/web/20100617023830/http://users.erols.com/chare/chipsets.htm] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2000/11/17/nvidias_super_secret_crush_spec/] == nForce &amp; Xbox == The Xbox has an IGP-128 that uses an NV2A video core (PCI ID:10de/02a5), which is between the GeForce3 (NV20) and the GeForce4 (NV25). The Southbridge is called "MCP-X" and lacks the PCI card bus (PCI bus #1). [https://web.archive.org/web/20100617023830/http://www.digit-life.com/articles/nvidianforce/] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/showdoc.html?i=1484] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=1535] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/systems/showdoc.aspx?i=1561&amp;p=3] == AMD Heritage == There is the following rumour, which is not fully verified yet: * Microsoft wanted AMD to make the CPU and the chipset for the Xbox, and nVidia to make the video hardware. * When alpha hardware had already bee built, Intel made a better deal * Microsoft agreed to have Intel CPUs; Intel had to modify AMD's chipset to support an Intel CPU * Intel insisted that the brand name AMD could not be associated with the Xbox, so nVidia licensed the AMD chipset. Now the Xbox chipset was by nVidia. * nVidia sold the same chipset for PCs, calling it "nForce". This is the reason why * the Xbox is the only nForce chipset with an Intel CPU * the AMD chipset and the nForce chipset are so similar Evidence: * The AMD and nForce AMD IDE controllers are fully compatible. (Linux kernel: "AMD 755/756/766/8111 and nVidia nForce/2/2s/3/3s/CK804/MCP04 IDE driver for Linux." [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/ide/pci/amd74xx.c]) * The I2C/SMBus controller on the nForce is fully AMD-756/766/68 compatible. [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/i2c/busses/i2c-amd756.c] * The audio controller is i810 compatible - as is the audio controller of the AMD-768 and the AMD-8111. * The nForce and AMD-768 modems are compatible. * At least one register ("VGA_en") in the nForce PCI-to-AGP bridge is compatible with the AMD chipset (AMD-761, 24081.pdf, page 136). * The nForce uses HyperTransport. * [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0307.3/0922.html], [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0305.html] * ''"One man's guess, the silicon is not a major factor. Because the nForce and 760 MP have a similar pin count, they are going to be cost comparable."'' [https://web.archive.org/web/20100617023830/http://overclockers.com/articles446/] {| class="wikitable" |- | | Northbridge | Southbridge |- | AMD-760 | AMD-761 | AMD-766 |- | AMD-760MP | AMD-762 | AMD-766 |- | AMD-760MPX | AMD-762 | AMD-768 |} [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_1133,00.html AMD-760™ Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_739_1130,00.html AMD-760™ MP Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_4296,00.html AMD-760™ MPX Chipset Tech Docs] <br /> The nForce chipset might be based on the AMD-760 chipset. == More Links == [https://web.archive.org/web/20100617023830/http://www.duxcw.com/digest/guides/mb_chip/nforce/print.htm] 72229eb2f73876a90a44bbd9298be08a0116a0e3 0 3800 6684 6644 2019-01-25T16:21:31Z JayFoxRox 2 Describe FIFOs wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):'''{{FIXME|reason=How is addressing affected with sample format 0x3 = 32 bit words?}} <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped''{{FIXME|reason=How are negative input words affected by rounding? 0x123000 etc.}} ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode: : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === {{FIXME|reason=Document register names? The FIFO registers are already defined in the XQEMU source}} Each of the DSP has 4 output FIFOs, and 2 input FIFOs. All FIFOs belonging to the same DSP share the memory view. The memory view is controlled in the DSPs FIFO Scatter-Gather entries. Each FIFO has 3 address registers, which define a ringbuffer: * Base address: The address of the first byte in the FIFO. * End address: The address of the first byte that's no longer part of the FIFO (so this address is exclusive). * Current address: The absolute address of the next byte that will be written. During a transfer, the current address is incremented. If the current address hits the end address during a transfer, the current address is moved to the base, where the transfer continues. If the transfer length is greater than the FIFO length when using the output FIFO, the transfer will continue normally and overwrite previously transferred bytes. If the transfer length is greater than the FIFO length when using the input FIFO, the transfer will continue normally and read previously transferred bytes again. If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] [[Category:APU]] 476a0cb2e7f2d9b5b8b64d71ac5769bec04c79a3 6689 6684 2019-02-03T17:16:39Z JayFoxRox 2 Add link to xboxpy scripts wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):'''{{FIXME|reason=How is addressing affected with sample format 0x3 = 32 bit words?}} <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped''{{FIXME|reason=How are negative input words affected by rounding? 0x123000 etc.}} ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode: : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === {{FIXME|reason=Document register names? The FIFO registers are already defined in the XQEMU source}} Each of the DSP has 4 output FIFOs, and 2 input FIFOs. All FIFOs belonging to the same DSP share the memory view. The memory view is controlled in the DSPs FIFO Scatter-Gather entries. Each FIFO has 3 address registers, which define a ringbuffer: * Base address: The address of the first byte in the FIFO. * End address: The address of the first byte that's no longer part of the FIFO (so this address is exclusive). * Current address: The absolute address of the next byte that will be written. During a transfer, the current address is incremented. If the current address hits the end address during a transfer, the current address is moved to the base, where the transfer continues. If the transfer length is greater than the FIFO length when using the output FIFO, the transfer will continue normally and overwrite previously transferred bytes. If the transfer length is greater than the FIFO length when using the input FIFO, the transfer will continue normally and read previously transferred bytes again. If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://github.com/JayFoxRox/xbox-tools/pull/70 Script to analyze DSP instructions] * [https://github.com/JayFoxRox/xbox-tools/pull/60 Script to control DSP DMA] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] [[Category:APU]] 0c36a8a63ebb1ea2243feb71ea690a54180725dc 6690 6689 2019-02-03T17:17:46Z JayFoxRox 2 Add explicit link to family manual, because people don't seem to find it wikitext text/x-wiki The DSPs in the APU are probably "Parthus MediaStream" DSP cores (probably the 24-bit DSP2420 "Mozart" core). Those are similar to Motorola DSP56362 (DSP56300 Family). If so, the datasheet can be found at http://www.nxp.com/docs/en/data-sheet/DSP56362.pdf (Also see "Documentation" section in said datasheet for the related documentation, like [https://www.nxp.com/docs/en/reference-manual/DSP56300FM.pdf the family manual]) == Memory Size == {| class="wikitable" |- ! ! Program RAM Size ! X Data RAM Size ! Y Data RAM Size ! MIXBUF Size |- ! GP | 4096 x 24-bit | 4096 x 24-bit | 2048 x 24-bit | 992{{FIXME|reason=This is probably 1024 words, but the last 32 words were not working as intended during my testing}} x 24-bit |- ! EP | 4096 x 24-bit | 3072 x 24-bit | 256 x 24-bit | n/a |} MIXBUF is accessible at X:$001400 in the GP. Other datasheets for similar DSPs suggest that the memory sizes might be different if instruction cache or switch mode are toggled. It is currently unknown if the DSPs in the Xbox APU support a similar feature{{FIXME}}. == DMA == ''This section is very incomplete and not much was tested on hardware either'' DMA is controlled using peripheral registers: * 0xFFFFD4: Memory address of next command block * 0xFFFFD5: DMA_START_BLOCK{{FIXME|reason=How is this used?}} * 0xFFFFD6: DMA_CONTROL{{FIXME|reason=Explain the bits}} * 0xFFFFD7: DMA_CONFIGURATION{{FIXME|reason=Explain the bits}} Additionally, bit 7 in the interrupt register at 0xFFFFC5 is set if a DMA End-Of-List has been encountered. === Command blocks === DSP command blocks are loaded from X-Memory. {| class="wikitable" ! Word ! Meaning ! Notes |- ! 0 | Next command block address || Memory address of next command block. Bit 14 is used as End-Of-List marker. |- ! 1 | Transfer control word || Controls the DMA transfer: '''DSP address interleave (Bit-offset 0; 1-bit):'''{{FIXME|reason=How is addressing affected with sample format 0x3 = 32 bit words?}} <ul> <li>0 = Addressing using:<pre> for (sample_index = 0; sample_index < sample_count; sample_index++) { transfer_dsp_word(dsp_address + sample_index * dsp_step_size) }</pre></li> <li>1 = Addressing using:<pre> for (block_index = 0; block_index < block_count; block_index++) { for (channel_index = 0; channel_index < channel_count; channel_index++) { transfer_dsp_word(dsp_address + block_index + channel_index * dsp_step_size) } }</pre></li> </ul> '''Direction (Bit-offset 1; 1-bit):''' * 0 = Buffer to DSP (In) * 1 = DSP to buffer (Out) '''Unknown (Bit-offset 2; 2-bits):''' * 0 = ? * 1 = ? * 2 = ? * 3 = ? '''Buffer offset writeback (Bit-offset 4; 1-bit):''' ''Only used for scratch buffers, behaves like 0 otherwise.''{{FIXME|reason=Assumption; Didn't do anything for FIFO0. Not sure if I documented this for 0xE or 0xF}} * 0 = Don't update buffer offset (Word 4) * 1 = Update buffer offset (Word 4); this respects address wrapping of circular buffers '''Buffer (Bit-offset 5; 4-bits):''' * 0x0 = FIFO0 (In / Out) * 0x1 = FIFO1 (In / Out) * 0x2 = FIFO2 (Out only; Buffer to DSP is ignored) * 0x3 = FIFO3 (Out only; Buffer to DSP is ignored) * 0x4 = ? * 0x5 = ? * 0x6 = ? * 0x7 = ? * 0x8 = ? * 0x9 = ? * 0xA = ? * 0xB = ? * 0xC = ? * 0xD = ? * 0xE = Scratch (Circular) * 0xF = Scratch '''Unknown (Bit-offset 9; 1-bit):''' * 0 = ? * 1 = ? '''Sample format (Bit-offset 10; 3-bits):''' ''{{FIXME|reason=Some of these need tests with signed datatypes}}'' * 0x0 = 8 bit (1 DSP word / 1 byte); ''sample-count must be multiple of 4, or transfer is skipped; rounded; byte MSB is flipped''{{FIXME|reason=How are negative input words affected by rounding? 0x123000 etc.}} ** Buffer to DSP: bytes: <code>0x12,0x34,0x56,0x78</code> &rarr; words: <code>0x920000, 0xB40000, 0xD60000, 0xF80000</code> ** Buffer to DSP: bytes: <code>0x92,0xB4,0xD6,0xF8</code> &rarr; words: <code>0x120000, 0x340000, 0x560000, 0x780000</code> ** DSP to buffer: words: <code>0x927FFF, 0xB47FFF, 0xD67FFF, 0xF87FFF</code> &rarr; bytes: <code>0x12,0x34,0x56,0x78</code> ''(Rounded down)'' ** DSP to buffer: words: <code>0x928000, 0xB48000, 0xD68000, 0xF88000</code> &rarr; bytes: <code>0x13,0x35,0x57,0x79</code> ''(Rounded up)'' ** DSP to buffer: words: <code>0x800000, 0x7E7FFF, 0x7E8000, 0x7FFFFF</code> &rarr; bytes: <code>0x00,0xFE,0xFF,0xFF</code> ''(Saturated)'' * 0x1 = 16 bit (1 DSP word / 2 bytes) ''sample-count must be multiple of 2, or transfer is skipped; truncated'' ** Buffer to DSP: bytes: <code>0x34,0x12</code> &rarr; word: <code>0x123400</code> ** DSP to buffer: word: <code>0x1234FF</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' ** DSP to buffer: word: <code>0x123400</code> &rarr; bytes: <code>0x34,0x12</code> ''(Truncated)'' * 0x2 = 24 bit in MSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x00,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0xFF,0x56,0x34,0x12</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x00,0x56,0x34,0x12</code> ''(Zero padding)'' * 0x3 = 32 bit (2 DSP words / 4 bytes); ''trunacted'' ** Buffer to DSP: bytes: <code>0x12,0xBC,0x9A,0x78</code> &rarr; words: <code>0x120000, 0x789ABC</code> ** DSP to buffer: words: <code>0x12FFFF, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' ** DSP to buffer: words: <code>0x120000, 0x789ABC</code> &rarr; bytes: <code>0x12,0xBC,0x9A,0x78</code> ''(Truncated)'' * 0x4 = ''Transfer skipped'' * 0x5 = ''Transfer skipped'' * 0x6 = 24 bit in LSB (1 DSP word / 4 bytes); ''padded'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0x00</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** Buffer to DSP: bytes: <code>0x56,0x34,0x12,0xFF</code> &rarr; word: <code>0x123456</code> ''(Padding ignored)'' ** DSP to buffer: word: <code>0x123456</code> &rarr; bytes: <code>0x56,0x34,0x12,0x00</code> ''(Zero padding)'' * 0x7 = ''Transfer skipped'' '''Unknown (Bit-offset 13; 1-bit):''' * 0 = ? * 1 = ? '''DSP address step size (Bit-offset 14; 10-bits):''' Used in DSP address calculation |- ! 2 | Sample count || Behaviour depends on interleave setting * Non-interleaved mode: : : '''Sample count (Bit-offset 0; 24-bits):''' : The number of samples to be transferred : : * Interleaved mode: : : '''Channel count (Bit-offset 0; 4-bits):''' : The number of channels minus 1. For 3 channels, this has to be 0x2. : : '''Block count (Bit-offset 4; 20-bits):''' : The number of blocks to be transferred. : : |- ! 3 | DSP address || This is the address in the DSP: * 0x0000 - 0x17FF = X-Memory * 0x1800 - 0x27FF = Y-Memory * 0x2800 - 0x37FF = P-Memory |- ! 4 | Buffer offset || ''Only used for scratch buffers, ignored otherwise.''{{FIXME|reason=Assumption; effect in buffers 0xE / 0xF; didn't seem to do anything for buffer 0x0}} This is the offset within the buffer where the first sample is accessed. If this is above or equal to the buffer end (buffer base + buffer size), then the write will behave like a non circular write. |- ! 5 | Buffer base || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} The start address of the buffer. |- ! 6 | Buffer size || ''Only used for circular scratch buffer, ignored otherwise.''{{FIXME|reason=Assumption; it happens for buffer 0xE, but not for buffer 0xF}} Size of buffer minus 1. For a buffer with 0x1000 bytes, this has to be 0xFFF. |} === FIFO === {{FIXME|reason=Document register names? The FIFO registers are already defined in the XQEMU source}} Each of the DSP has 4 output FIFOs, and 2 input FIFOs. All FIFOs belonging to the same DSP share the memory view. The memory view is controlled in the DSPs FIFO Scatter-Gather entries. Each FIFO has 3 address registers, which define a ringbuffer: * Base address: The address of the first byte in the FIFO. * End address: The address of the first byte that's no longer part of the FIFO (so this address is exclusive). * Current address: The absolute address of the next byte that will be written. During a transfer, the current address is incremented. If the current address hits the end address during a transfer, the current address is moved to the base, where the transfer continues. If the transfer length is greater than the FIFO length when using the output FIFO, the transfer will continue normally and overwrite previously transferred bytes. If the transfer length is greater than the FIFO length when using the input FIFO, the transfer will continue normally and read previously transferred bytes again. If the current address is below the base address when starting a transfer, it is moved to the base address. If the current address is above or equal to the end address when starting a transfer, the DSP hangs{{FIXME|reason=Needed to reboot Xbox to start new DMA, even DSP reset did not work}}. == Related links == * [https://github.com/XboxDev/a56 Modernized fork of a56, open-source assembler for the similar 56000 architecture] * [https://github.com/JayFoxRox/xbox-tools/pull/70 Script to analyze DSP instructions] * [https://github.com/JayFoxRox/xbox-tools/pull/60 Script to control DSP DMA] * [https://web.archive.org/web/20010212122052/http://www.parthus.com:80/platforms/parthus_mediastream/index.html MediaStream product page] * [https://web.archive.org/web/20011130084353/http://www.fs2.com:80/parthus_download/ First Silicon MediaStream tools] * [https://web.archive.org/web/20020213235936/http://www.tasking.com/products/MediaStream/index.html Tasking MediaStream compiler] [[Category:APU]] cf6af4bd7d84de0df6c71397e76537f4fddb5e9a 0 3768 6687 6539 2019-02-01T01:46:10Z JayFoxRox 2 Old link was broken, but tool is also linked above with new link wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 909d42288bcb792f93a9da0a75216e9600a449c8 0 3799 6688 6641 2019-02-02T00:10:14Z JayFoxRox 2 Some more basic APU information wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). The APU consists of 3 main components for audio-processing: * VP: A fixed-function block, that generates 32 channel mono audio from voices; the audio is output to the GP MIXBUF. * GP: A programmable DSP, it is intended for general-purpose audio processing (programmable audio effects for example). * EP: A programmable DSP, it is intended for audio encoding (5.1 AC3 encoding for example). VP and GP are connected by the MIXBUF, but GP and EP are entirely independent, and no special-purpose memory area connects them. Therefore, the communication between the GP and EP typically happens through programmable DMA transfers (via FIFO or scratch memory). The GP and EP are based on the same DSP architecture, run at the same clockrate, and have the same functionality (the EP has less memory, and no direct access to the MIXBUF). So, theoretically, nothing prevents the GP from doing EP tasks or vice versa{{FIXME|reason=I have not seen counter-arguments}}. The APU does only audio-processing but no audio output. Hence, one of the DSPs typically uses programmable DMA to transfer the finished audio to system memory, where it can be read by other components (such as AC97). All audio processing by the APU is typically done in 24bit PCM at 48000Hz. An APU audio frame is 32 samples long, so there are 1500 frames per second. The MIXBUF therefore holds 1024 samples (32 channels * 32 samples/channel). === Glossary === * PRD = Physical Resource Descriptor (Same thing as SGE?!) * SGE = Scatter Gather Entry * SSL = Stream Segment List == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate segments of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** The best approximation I could come up with so far is: <code>255*pow(0.99988799,(DECAYRATE*16-COUNT)*4096/DECAYRATE)</code>. ** When the output level (not LVL!) reaches the sustain level the decay section is over (In my example above, this happens when the output level is less than 0.2 away from the sustain level; so if sustain is 0, the voice would switch to the sustain segment when a value below 0.2 is reached) ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound APIs. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] [[Category:APU]] ccc3b831d9c473f2780bd0635b4c7a52796fa818 0 3674 6691 6283 2019-02-04T15:18:25Z PatrickvL 2473 corrected address range ends to be inclusive (most where exclusive) wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. On Debug Xboxs and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |APU Registers |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 08a428e554ec33db049fcbd58fb97351db25533d 6692 6691 2019-02-04T15:22:34Z JayFoxRox 2 Add links wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. On Debug Xboxs and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> d20a4bfd77cc1cd09d3aa3bcb7fdf6661ca35950 0 3680 6693 5028 2019-02-09T02:50:00Z JayFoxRox 2 Use archived website before it was defaced wikitext text/x-wiki Seemingly abandoned, but then sprung back into life in 2016 after 7 years of inactivity. == References == [https://web.archive.org/web/20170624051336/http://openxdk.sourceforge.net:80/ openxdk.sourceforge.net] 645ee4c8d028d2fe9bc18d44f5ca76181e0da379 0 11 6694 6579 2019-02-11T06:35:18Z DiscoStarslayer 2509 Testing on halo: ce I sampled force feedback events from the shotgun with values of 0xFFFF wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === From http://www.yaronet.com/topics/154490-steel-battalion-controller-homemade#post-15 <pre>bcdUSB: 0x0110 bDeviceClass: 0x00 bDeviceSubClass: 0x00 bDeviceProtocol: 0x00 bMaxPacketSize0: 0x08 (8) idVendor: 0x0A7B idProduct: 0xD000 bcdDevice: 0x0100 iManufacturer: 0x00 iProduct: 0x00 iSerialNumber: 0x00 bNumConfigurations: 0x01 ConnectionStatus: DeviceConnected Current Config Value: 0x00 Device Bus Speed: Full Device Address: 0x03 Open Pipes: 0 Configuration Descriptor: wTotalLength: 0x0020 bNumInterfaces: 0x01 bConfigurationValue: 0x01 iConfiguration: 0x00 bmAttributes: 0x80 (Bus Powered ) MaxPower: 0xFA (500 Ma) Interface Descriptor: bInterfaceNumber: 0x00 bAlternateSetting: 0x00 bNumEndpoints: 0x02 bInterfaceClass: 0x58 bInterfaceSubClass: 0x42 bInterfaceProtocol: 0x00 iInterface: 0x00 Endpoint Descriptor: bEndpointAddress: 0x82 Transfer Type: Interrupt</pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 209e131d6e07925afdd4cf745e6329cc01740d31 0 3689 6695 6559 2019-02-16T16:09:33Z JayFoxRox 2 /* delete (Delete file) */ wikitext text/x-wiki The '''Xbox Debug Monitor''' ('''XBDM''') is a feature of Xbox Development Kits that provides remote debugging, file management, console discovery, and other services on TCP/UDP port 731. It is loaded by debug kernels at startup from <code>C:\xbdm.dll</code> and its configuration is read from <code>E:\xbdm.ini</code>. XBDM is distinct from KD and uses a different wire protocol. ==Name Answering Protocol== An Xbox Development Kit (XDK) can be assigned a ''debug name'' that identifies it on the local network. XBDM provides the ability to resolve a debug name to an IP address ([[#Forward Lookup|forward lookup]]), resolve an IP address to a debug name ([[#Reverse Lookup|reverse lookup]]), and [[#Console Discovery|discover]] all XDKs on the local network using a very simple UDP-based protocol. {|class="wikitable" style="margin: 0 auto; text-align: center;" |+Name Answering Protocol Packet |- ! style="border-bottom:none; border-right:none;"| ''Offsets'' ! style="border-left:none;"| Octet ! colspan="8" | 0 ! colspan="8" | 1 |- ! style="border-top: none" | Octet ! Bit!!0!!1!!2!!3!!4!!5!!6!!7!!8!!9!!10!!11!!12!!13!!14!!15 |- ! 0 ! 0 | colspan="8" | Type || colspan="8" | Name Length |- ! 2 ! 16+ | colspan="16" | Name |} A NAP packet contains 3 fields, the last of which is variable-length. The minimum length of a NAP packet is 2 bytes and the maximum is 257. Invalid packets are silently dropped by XBDM. ; Type : This unsigned 8-bit field may contain the values 1 (lookup), 2 (reply), or 3 (wildcard). ; Name Length : This unsigned 8-bit field specifies the length of the Name field and should be a value from 0 to 255. For Type 3 packets, this field should always be 0. For Type 1 and Type 2 packets, this field should never be 0. ; Name : This variable-length field contains the ASCII-encoded debug name for Type 1 and Type 2 packets. The number of bytes in this field is given by the Length field. It should not contain any <code>NUL</code> characters. ===Forward Lookup=== To resolve a debug name to an IP address, send a Type 1 NAP packet containing the debug name to be resolved to UDP address 255.255.255.255:731. The XDK with that name will respond with a Type 2 NAP packet and its IP address can be retrieved from the UDP header. There is no way to prevent multiple XDKs being assigned the same debug name, so it's possible that the client may receive replies from multiple IP addresses. ===Reverse Lookup=== To resolve an IP address to a debug name, send a Type 3 NAP packet with no name (length 0) to the IP address on UDP port 731. Assuming the target is actually an XDK, it will respond with a Type 2 NAP packet containing its name. This is very similar to the Console Discovery process (below), except that by sending the wildcard packet to a single IP address, only that XDK will respond. ===Console Discovery=== To discover all XDKs on the local network, send a Type 3 NAP packet with no name (length 0) to the UDP address 255.255.255.255:731. Each XDK will respond with a Type 2 NAP packet containing its name. As with a forward lookup, the client may receive multiple replies with the same name, but different IP addresses. ==Remote Debugging and Control Protocol== The Remote Debugging and Control Protocol (RDCP) is a text-based protocol transmitted over a TCP connection on port 731. RDCP resembles protocols like FTP and SMTP, making it possible to communicate with XBDM using just a Telnet client in many cases. When a connection is established, XBDM sends <code>201- connected</code> (or <code>200- connected</code> in version 3944) followed by <CR><LF> (that is, a carriage return character followed by a line feed character). The RDCP client is then free to send a [[#Commands|command]] followed by <CR><LF> or <CR><NUL>. After executing a command, XBDM replies with a response line consisting of a three-digit status code and message of the form <code>999- message text<CR><LF></code>. Note that unlike similar protocols, the <code>-</code> (dash) is always present in responses and messages cannot span multiple lines. ===Status codes=== In responses, 2xx status codes indicate success and 4xx codes indicate failure. Most codes have a default message, but some commands leave the message field empty while others use the message field to hold whatever data was requested by the client or additional information about an error. ====2xx Success==== ; <span id="status_200">200- OK</span> : Standard response for successful execution of a command. ; <span id="status_201">201- connected</span> : Initial response sent after a connection is established. The client does not need to send anything to solicit this response. ; <span id="status_202">202- multiline response follows</span> : The response line is followed by one or more additional lines of data terminated by a line containing only a <code>.</code> (period). The client must read all available lines before sending another command. ; <span id="status_203">203- binary response follows</span> : The response line is followed by raw binary data, the length of which is indicated in some command-specific way. The client must read all available data before sending another command. ; <span id="status_204">204- send binary data</span> : The command is expecting additional binary data from the client. After the client sends the required number of bytes, XBDM will send another response line with the final result of the command. ; <span id="status_205">205- connection dedicated</span> : The connection has been moved to a dedicated handler thread (see [[#Connection dedication]]). ====4xx Failure==== ; <span id="status_400">400- unexpected error</span> : An internal error occurred that could not be translated to a standard error code. The message is typically more descriptive, such as "out of memory" or "bad parameter". ; <span id="status_401">401- max number of connections exceeded</span> : The connection could not be established because XBDM is already serving the maximum number of clients (4). ; <span id="status_402">402- file not found</span> : An operation was attempted on a file that does not exist. ; <span id="status_403">403- no such module</span> : An operation was attempted on a module that does not exist. ; <span id="status_404">404- memory not mapped</span> : An operation was attempted on a region of memory that is not mapped in the page table. ; <span id="status_405">405- no such thread</span> : An operation was attempted on a thread that does not exist. ; <span id="status_406">406-</span> : An attempt to set the system time with the <code>[[#cmd_setsystime|setsystime]]</code> command failed. This status code is undocumented. ; <span id="status_407">407- unknown command</span> : The command is not recognized. ; <span id="status_408">408- not stopped</span> : The target thread is not stopped. ; <span id="status_409">409- file must be copied</span> : A move operation was attempted on a file that can only be copied. ; <span id="status_410">410- file already exists</span> : A file could not be created or moved because one already exists with the same name. ; <span id="status_411">411- directory not empty</span> : A directory could not be deleted because it still contains files and/or directories. ; <span id="status_412">412- filename is invalid</span> : The specified file contains invalid characters or is too long. ; <span id="status_413">413- file cannot be created</span> : The file cannot be created for some unspecified reason. ; <span id="status_414">414- access denied</span> : The file cannot be accessed at the connection's current privilege level (see [[#Security]]). ; <span id="status_415">415- no room on device</span> : The target device has run out of storage space. ; <span id="status_416">416- not debuggable</span> : The title is not debuggable. ; <span id="status_417">417- type invalid</span> : The performance counter type is invalid. ; <span id="status_418">418- data not available</span> : The performance counter data is not available. ; <span id="status_420">420- box not locked</span> : The command can only be executed when security is enabled (see [[#Security]]). ; <span id="status_421">421- key exchange required</span> : The client must perform a key exchange with the <code>[[#cmd_keyxchg|keyxchg]]</code> command (see [[#Security]]). ; <span id="status_422">422- dedicated connection required</span> : The command can only be executed on a dedicated connection (see [[#Connection dedication]]). ===Connection dedication=== '''Connection dedication''' is the process of moving a client connection from the ''global server thread'' to a ''threaded command handler thread'' with the <code>dedicate</code> command. By default, commands sent to XBDM are processed on the global server thread. Built-in commands and custom command handlers registered with <code>DmRegisterCommandProcessor</code> are run on this thread and may only execute kernel APIs. Commands that need to call CRT or XAPI functions must run in a threaded command handler, registered with <code>DmRegisterCommandProcessorEx</code> or <code>DmRegisterThreadedCommandProcessor</code>. A client that has not dedicated its connection will receive a <code>422- dedicated connection required</code> response if it tries to execute a threaded command on the global server thread. After dedicating itself to a threaded command handler, the client can no longer send built-in or non-threaded commands until it re-dedicates itself to the global server thread. ===Security=== TODO ===Commands=== ''See also: [[XBDM commands by version]]'' A command consists of a name and zero or more parameters separated by whitespace characters. The format of the parameters is defined by the command, but most commands use the form <code>key=value</code>. Parameter values that contain whitespace characters must be surrounded by double quotes (e.g. <code>"some value"</code> or <code>key="some value"</code>). In the command descriptions below, the following data types are used: {| class="wikitable" style="margin: 0 auto" ! Type !! Description |- | DWORD || A 32-bit integer in hexadecimal format (e.g. <code>0x1234ABCD</code>). |- | QWORD || A 64-bit integer in hexadecimal format, but prefixed with 0q instead of 0x (e.g. <code>0q0123456789ABCDEF</code>). |- | STRING || An ASCII-encoded string, optionally surrounded by double quotes. |} ====<span id="cmd_adminpw">adminpw</span> (Set administrator password)==== {{XBDM command|version=4039+|text=adminpw none|privs=manage}} Clear the administrator password. {{XBDM command|version=4039+|text=adminpw passwd=QWORD|privs=manage}} Set the administrator password to the value of the <code>passwd</code> parameter. Note that <code>passwd</code> is a 64-bit integer instead of a string. The details of the conversion from a string password to a 64-bit integer are currently unknown. ====<span id="cmd_altaddr">altaddr</span>==== ====<span id="cmd_authuser">authuser</span> (Authenticate user)==== ====<span id="cmd_boxid">boxid</span>==== ====<span id="cmd_break">break</span>==== ====<span id="cmd_bye">bye</span> (Close connection)==== ====<span id="cmd_capcontrol">capcontrol</span>/<span id="cmd_capctrl">capctrl</span>==== ====<span id="cmd_continue">continue</span>==== ====<span id="cmd_crashdump">crashdump</span>==== ====<span id="cmd_d3dopcode">d3dopcode</span>==== ====<span id="cmd_dbgname">dbgname</span> (Get/set debug name)==== ====<span id="cmd_dbgoptions">dbgoptions</span>==== ====<span id="cmd_debugger">debugger</span>==== ====<span id="cmd_debugmode">debugmode</span>==== ====<span id="cmd_dedicate">dedicate</span> (Dedicate connection)==== ====<span id="cmd_deftitle">deftitle</span>==== ====<span id="cmd_delete">delete</span> (Delete file or directory)==== {{XBDM command|text=delete name=STRING dir}} Deletes a file or directory. To delete a directory, the optional <code>dir</code> attribute must be present. ====<span id="cmd_dirlist">dirlist</span> (List files in directory)==== ====<span id="cmd_dmversion">dmversion</span> (Get debug monitor version)==== ====<span id="cmd_drivefreespace">drivefreespace</span> (Get free space on drive)==== ====<span id="cmd_drivelist">drivelist</span> (List drive letters)==== {{XBDM command|text=drivelist}} Returns a string which contains the drive-letter for each accessible drive. ====<span id="cmd_dvdblk">dvdblk</span> (Read block from DVD)==== ====<span id="cmd_dvdperf">dvdperf</span>==== ====<span id="cmd_fileeof">fileeof</span>==== ====<span id="cmd_flash">flash</span> (Flash BIOS image)==== ====<span id="cmd_fmtfat">fmtfat</span> (Format FAT partition)==== ====<span id="cmd_funccall">funccall</span>==== ====<span id="cmd_getcontext">getcontext</span> (Get thread context)==== ====<span id="cmd_getd3dstate">getd3dstate</span> (Get Direct3D state)==== ====<span id="cmd_getextcontext">getextcontext</span> (Get extended thread context)==== ====<span id="cmd_getfile">getfile</span> (Download file)==== {{XBDM command|text=getfile name=STRING}} Retrieve the entire contents of the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. {{XBDM command|text=getfile name=STRING offset=DWORD size=DWORD}} Retrieve <code>size</code> bytes starting at <code>offset</code> from the named file. The received data is prefixed with a 32 bit little endian value, which contains the number of bytes which have been read. ====<span id="cmd_getfileattributes">getfileattributes</span> (Get file attributes)==== ====<span id="cmd_getgamma">getgamma</span> (Get gamma table)==== ====<span id="cmd_getmem">getmem</span> (Read memory)==== ====<span id="cmd_getmem2">getmem2</span> (Read memory)==== ====<span id="cmd_getpalette">getpalette</span>==== ====<span id="cmd_getpid">getpid</span>==== ====<span id="cmd_getsum">getsum (Generate memory checksums)</span>==== {{XBDM command|version=5120+|text=getsum addr=DWORD length=DWORD blocksize=DWORD}} Generates one or more checksums from memory. The function will return <code>length</code> divided by <code>blocksize</code> 32-bit little endian checksums for the memory starting at virtual address <code>addr</code>. The <code>addr</code>, <code>length</code> and <code>blocksize</code> must be multiples of 8. Picking bad values can lead to crashes. Each checksum is equal to <code>ReverseBitOrder(CRC32(address + blockoffset, blocksize) XOR 0xFFFFFFFF)</code> for the respective block. ====<span id="cmd_getsurf">getsurf</span>==== ====<span id="cmd_getuserpriv">getuserpriv</span> (Get user's privilege level)==== ====<span id="cmd_getutildrvinfo">getutildrvinfo</span> (Get utility drive information)==== ====<span id="cmd_go">go</span>==== ====<span id="cmd_gpucount">gpucount</span> (Toggle GPU counters)==== ====<span id="cmd_halt">halt</span>==== ====<span id="cmd_irtsweep">irtsweep</span>==== ====<span id="cmd_isbreak">isbreak</span>==== ====<span id="cmd_isdebugger">isdebugger</span>==== ====<span id="cmd_isstopped">isstopped</span>==== ====<span id="cmd_kd">kd</span> (Enable/disable kernel debugger)==== ====<span id="cmd_keyxchg">keyxchg</span> (Perform key exchange)==== ====<span id="cmd_lockmode">lockmode</span>==== ====<span id="cmd_lop">lop</span>==== ====<span id="cmd_magicboot">magicboot (Boot into new title)</span>==== {{XBDM command|text=magicboot title=STRING debug}} Boots into another title, specified by the path to XBE in <code>title</code>. If the optional <code>debug</code> is provided, XBDM will remain loaded while the title is running. ====<span id="cmd_memtrack">memtrack</span>==== ====<span id="cmd_mkdir">mkdir</span> (Create directory)==== ====<span id="cmd_mmglobal">mmglobal</span>==== ====<span id="cmd_modlong">modlong</span>==== ====<span id="cmd_modsections">modsections</span>==== ====<span id="cmd_modules">modules</span>==== ====<span id="cmd_nostopon">nostopon</span>==== ====<span id="cmd_notify">notify</span>==== ====<span id="cmd_notifyat">notifyat</span>==== ====<span id="cmd_pbsnap">pbsnap</span>==== ====<span id="cmd_pclist">pclist</span> (List performance counters)==== ====<span id="cmd_pdbinfo">pdbinfo</span>==== ====<span id="cmd_pssnap">pssnap</span>==== ====<span id="cmd_querypc">querypc</span> (Query performance counter)==== ====<span id="cmd_reboot">reboot</span>==== ====<span id="cmd_rename">rename</span> (Rename file)==== ====<span id="cmd_resume">resume</span>==== ====<span id="cmd_screenshot">screenshot</span> (Take screenshot)==== ====<span id="cmd_sendfile">sendfile</span> (Upload file)==== ====<span id="cmd_servname">servname</span>==== ====<span id="cmd_setconfig">setconfig</span>==== ====<span id="cmd_setcontext">setcontext</span> (Set thread context)==== ====<span id="cmd_setfileattributes">setfileattributes</span> (Set file attributes)==== ====<span id="cmd_setsystime">setsystime</span> (Set system time)==== ====<span id="cmd_setuserpriv">setuserpriv</span> (Set user's privilege level)==== ====<span id="cmd_signcontent">signcontent</span>==== ====<span id="cmd_stop">stop</span>==== ====<span id="cmd_stopon">stopon</span>==== ====<span id="cmd_suspend">suspend</span>==== ====<span id="cmd_sysfileupd">sysfileupd</span> (Update system file)==== ====<span id="cmd_systime">systime</span> (Get system time)==== ====<span id="cmd_threadinfo">threadinfo</span> (Get thread information)==== ====<span id="cmd_threads">threads</span> (List threads)==== ====<span id="cmd_title">title</span>==== ====<span id="cmd_user">user</span>==== ====<span id="cmd_userlist">userlist</span> (List users)==== ====<span id="cmd_vssnap">vssnap</span>==== ====<span id="cmd_walkmem">walkmem</span>==== ====<span id="cmd_writefile">writefile</span>==== ====<span id="cmd_xbeinfo">xbeinfo</span>==== ====<span id="cmd_xtlinfo">xtlinfo</span>==== ==See Also== * [[Xbox Neighborhood]] – An XDK tool that utilizes the XBDM protocols ==External Links== * [https://github.com/Ernegien/ViridiX ViridiX] – An open-source collection of Xbox debugging libraries and tools written in C#. * [https://github.com/docbrown/xbdm-rs xbdm-rs] - An open-source XBDM client written in Rust. 2712f0478dccacce61b5e09edf8358d2e76b92f5 0 3693 6697 6551 2019-03-04T17:19:44Z Wayo 2479 wikitext text/x-wiki Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Matchmaking servers === === Game servers === === XDK Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. It will return XONLINETASK_S_RUNNING while the login process has not been completed. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) |Will return XONLINE_S_LOGON_CONNECTION_ESTABLISHED when the task is successfully completed. Otherwise it will return an error code. |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |} 6af4f3d4c6854877eab51c604e3060cb767cd1bf 0 3671 6698 6534 2019-03-10T15:04:17Z Espes 2484 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers [https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. == ROM == The MCPX is home to the secret [[MCPX ROM]]. == Pin L21: PC Speaker == The MCPX has PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. <gallery mode="slideshow"> Image:XboxWithPcSpkr.jpg|'' '' Image:XboxPcSpkrTrace.jpg|'' '' Image:XboxPcSpkrSolderPoints.jpg|'' '' </gallery> == See Also == [[NForce]] [http://siliconpr0n.org/archive/doku.php?id=azonenberg:nvidia:mcpx Die Inspection] c6639c606e3bfe88809afbe337763c1e31e15874 0 3671 6699 6698 2019-03-10T15:07:58Z Espes 2484 /* See Also */ wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers [https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. == ROM == The MCPX is home to the secret [[MCPX ROM]]. == Pin L21: PC Speaker == The MCPX has PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. <gallery mode="slideshow"> Image:XboxWithPcSpkr.jpg|'' '' Image:XboxPcSpkrTrace.jpg|'' '' Image:XboxPcSpkrSolderPoints.jpg|'' '' </gallery> == See Also == * [[NForce]] * [http://siliconpr0n.org/archive/doku.php?id=azonenberg:nvidia:mcpx Die Inspection] b5eed8671e1afea291641fd07f6ece21cb4c3bdd 6745 6699 2019-07-16T05:39:43Z Redherring32 2513 /* Pin L21: PC Speaker */ wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers [https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. == ROM == The MCPX is home to the secret [[MCPX ROM]]. == Pin L21: PC Speaker == The MCPX has a PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin in order to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. <gallery mode="slideshow"> Image:XboxWithPcSpkr.jpg|'' '' Image:XboxPcSpkrTrace.jpg|'' '' Image:XboxPcSpkrSolderPoints.jpg|'' '' </gallery> == See Also == * [[NForce]] * [http://siliconpr0n.org/archive/doku.php?id=azonenberg:nvidia:mcpx Die Inspection] 52857858f37c2214e5d73fbd1dc63925c9f3f206 6746 6745 2019-07-16T05:46:10Z Redherring32 2513 wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset made by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) as well as the USB, PCI, IDE, etc, controllers [https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. == ROM == The MCPX is home to the secret [[MCPX ROM]]. == Pin L21: PC Speaker == The MCPX has a PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin in order to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. <gallery mode="slideshow"> Image:XboxWithPcSpkr.jpg|'' '' Image:XboxPcSpkrTrace.jpg|'' '' Image:XboxPcSpkrSolderPoints.jpg|'' '' </gallery> == See Also == * [[NForce]] * [http://siliconpr0n.org/archive/doku.php?id=azonenberg:nvidia:mcpx Die Inspection] 9352b8d23913bbed9a7450859b15e8b394942c87 0 3692 6700 6601 2019-03-12T00:35:18Z JayFoxRox 2 Add links for MN740 firmware updates on MS website / wayback machine wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually an official wireless adapter was released based of a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with a Xbox setup disc (wich would update the dashboard if necessary). It was also [https://web.archive.org/web/20040508051958/http://www.xbox.com/en-US/live/connect/msmn740.htm described on Micosofts website]. ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some Eeprom wich hold the MAC adress (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 leds are: Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what apears to be Serial testpins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" latest firmware is seperated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" There were at least 2 firmware updates for download: * [https://web.archive.org/web/20031210155952/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_101.htm MN740 1.01] * [https://web.archive.org/web/20040602231929/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_102.htm MN740 1.02] Judging by the firmware filenames above, there should also be a MN740 1.00 and MN740 1.03. ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or webbrowser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] b2123c891b349f40198bf5c68c9981ed0f8f3c94 0 3701 6701 6361 2019-03-21T13:46:37Z JayFoxRox 2 /* References and links */ wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPRDT section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? eax points to a zero terminated list of pointers into the kernel memory [7 elements] |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? " [4 elements] |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? Seems to be some call to that address?! |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? " [3 elements] |- | colspan="3" | Cleaner list starts here {{FIXME}} |- | 0x04 || 0x20 || |- | 0x04 || 0x20 || |- | 0x04 || 0x21 || |- | 0x04 || 0x22 || |- | 0x04 || 0x23 || |- | 0x04 || 0x24 || |- | 0x04 || 0x35 || |- | 0x04 || 0x50 || |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? Memory is 0x00 filled before. location is 0x8002b420, size would be 0x3000 |- | 0x06 || 0x02 || |- | 0x06 || 0x20 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x21 || |- | 0x06 || 0x22 || |- | 0x06 || 0x23 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x24 || |- | 0x06 || 0x25 || |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x40 || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages (Microsoft) page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://randomascii.wordpress.com/2019/03/20/exercises-in-emulation-xbox-360s-fma-instruction/ Blog post about FMA math emulation by Bruce Dawson (Microsoft)] * [https://www.youtube.com/watch?v=Da_ont-2AG0 Modern Vintage Gamer: Revisiting Original Xbox Backward Compatibility on the Xbox 360] 11934625d40704f877b2c0a3eab997298e9018cf 0 3682 6702 5031 2019-04-02T11:07:14Z Nsd0g 2512 An update detailing the xbox, still has work to do wikitext text/x-wiki The Xbox is a games console developed by Microsoft and released on the 15th of November 2001. The console was designed to directly compete with Sony's PlayStation 2. In 1998http://xboxdevwiki.net/index.php?title=Talk:Xbox&action=edit&redlink=1, Kevin Bachus, Seamus Blackley, Ted Hase and Otto Berkes, disassembled some Dell laptops to create a Windows based gaming machine, dubbed the DirectXbox. The team then approached Ed Fries, the leader of Microsoft's game publishing division at the time, with their idea. Ed Fries chose to support the team's idea. During development of the console, the team shortened the name to Xbox, which the marketing division at Microsoft not liking the idea. Focus testing showed that consumers preferred the name "Xbox" over anything else that was said during testing, so the name stuck. The Xbox was designed with multiplayer in mind, as the console had a ethernet cable and 4 controller ports. In 2002 Microsoft released Xbox Live, a subscription service where players could pay a monthly fee to play online with other Xbox owners in games such as ''Halo'', ''Project Gotham Racing'', and ''Madden''. The service was discontinued on April 15th, 2010, where 12 players sat in a lobby of ''Halo 2'' 24/7 to keep the server running. Microsoft saluted their decision, and said that they weren't going to kick the players off. Instead they offered the players Halo: Reach beta codes. The final player, Apache N4SIR was streaming the entire thing, as the 12 players twindeled down to just him. On stream, he was wondering what he should do, and one viewer suggested playing through the campain, but not beating the final mission, as it would kick him offline, and at 11:40 PM PDT, on May 11th 2010, Apache was booted from the game. This image details the story (https://external-preview.redd.it/A6pf_qIL-DN--q3jRIvcRvklICQp-qk3zJjwogSGTzY.jpg?width=960&crop=smart&auto=webp&s=e5c0b2fa5f8f7b5fdbec96cd26d015177e399542) Emulation for the original xbox exists, as there are 3 emulators for it, XQEMU, Cxbx-r and an emulator that Strider3X is developing ef168e25d658e4dbb2adf9d89a22bfa0a6e7a233 6704 6702 2019-04-05T11:32:23Z JayFoxRox 2 Data was duplicated from Wikipedia; please contribute to that instead, and just link it wikitext text/x-wiki The Xbox is a games console developed by Microsoft and released on the 15th of November 2001. === Links === * [[wikipedia:Xbox (console)|Wikipedia article]] 3aaa76c3921f0a5fb9ddc583e8661c88bf98065b 0 3693 6703 6697 2019-04-05T11:27:39Z JayFoxRox 2 Move content by Nsd0g (and focus on factual and important aspects) wikitext text/x-wiki Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of authentication servers, matchmaking servers, and game servers. === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customizations for the Xbox. Kerberos Authentication Server: macs.xboxlive.com {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Matchmaking servers === === Game servers === === XDK Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. It will return XONLINETASK_S_RUNNING while the login process has not been completed. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) |Will return XONLINE_S_LOGON_CONNECTION_ESTABLISHED when the task is successfully completed. Otherwise it will return an error code. |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |} == Discontinuation of service == The service was officially discontinued on April 15th, 2010. 12 players decided to stay in a lobby of ''Halo 2'' 24/7 to keep a server running. The final player, Apache N4SIR was streaming the entire event, as the player count of 12 twindeled down to just him. At 11:40 PM PDT, on May 11th 2010, Apache N4SIR was booted from the game[http://i.imgur.com/oQw6k5H.jpg]. dbc5bae6117ff70e7e60fe0a95cda2e457921119 0 3818 6705 6360 2019-04-05T16:55:39Z DiscoStarslayer 2509 Put power + current rating for PSU into tables for easier reading. Confirmed pinout on 1.1 + 1.3 xbox, cleaned up pinout layout to more closely match the actual connector. Added speculative pinout for 1.6 wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 & 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3.3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 to 1.5 === The connector for the 1.2 -> 1.5 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 1 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || None || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || None |- | Pin 5 || +3.3V Standby || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || None |- | Pin 7 || None || Pin 7 || +3.3V |- | Pin 8 || +3.3V || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} === Xbox 1.6+ === The connector for the 1.6+ Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2 -> 1.5 xbox, with a different pinout. {{citation needed|reason=Need to validate this pinout on an actual machine, I don't have one to test.}} {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || GND || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || GND |- | Pin 5 || +5V Standby {{citation needed}} || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || GND |- | Pin 7 || None || Pin 7 || None {{citation needed}} |- | Pin 8 || None {{citation needed}} || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 32760edbd0f465674b2ed2067f1e4886cf8736b6 6706 6705 2019-04-05T17:10:12Z DiscoStarslayer 2509 Remove -> wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 & 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3.3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2 to 1.5 === The connector for the 1.2 to 1.5 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 1 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || None || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || None |- | Pin 5 || +3.3V Standby || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || None |- | Pin 7 || None || Pin 7 || +3.3V |- | Pin 8 || +3.3V || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} === Xbox 1.6+ === The connector for the 1.6+ Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2 to 1.5 xbox, with a different pinout. {{citation needed|reason=Need to validate this pinout on an actual machine, I don't have one to test.}} {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || GND || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || GND |- | Pin 5 || +5V Standby {{citation needed}} || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || GND |- | Pin 7 || None || Pin 7 || None {{citation needed}} |- | Pin 8 || None {{citation needed}} || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 42cb9c02a9678d015dcbe2240bed41876c788ebd 6707 6706 2019-04-05T17:14:05Z DiscoStarslayer 2509 wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3.3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 1 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || None || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || None |- | Pin 5 || +3.3V Standby || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || None |- | Pin 7 || None || Pin 7 || +3.3V |- | Pin 8 || +3.3V || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {{citation needed|reason=Need to validate this pinout on an actual machine, I don't have one to test.}} {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || GND || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || GND |- | Pin 5 || +5V Standby {{citation needed}} || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || GND |- | Pin 7 || None || Pin 7 || None {{citation needed}} |- | Pin 8 || None {{citation needed}} || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 0e33c610250f0e15268da7aed60d6f47f7197b23 6708 6707 2019-04-05T17:15:19Z DiscoStarslayer 2509 /* Xbox 1.2, 1.3, 1.4, and 1.5 */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || +12V |- | Pin 2 || +5V |- | Pin 3 || +5V |- | Pin 4 || +5V |- | Pin 5 || +3.3V |- | Pin 6 || +3.3V Standby |- | Pin 7 || GND |- | Pin 8 || GND |- | Pin 9 || GND |- | Pin 10 || GND |- | Pin 11 || POWON |- | Pin 12 || POWOK |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || None || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || None |- | Pin 5 || +3.3V Standby || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || None |- | Pin 7 || None || Pin 7 || +3.3V |- | Pin 8 || +3.3V || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {{citation needed|reason=Need to validate this pinout on an actual machine, I don't have one to test.}} {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || +12V || Pin 1 || +5V |- | Pin 2 || GND || Pin 2 || +5V |- | Pin 3 || +5V || Pin 3 || +5V |- | Pin 4 || GND || Pin 4 || GND |- | Pin 5 || +5V Standby {{citation needed}} || Pin 5 || GND |- | Pin 6 || GND || Pin 4 || GND |- | Pin 7 || None || Pin 7 || None {{citation needed}} |- | Pin 8 || None {{citation needed}} || Pin 8 || None |- | Pin 9 || GND || Pin 9 || GND |- | Pin 10 || PowON || Pin 11 || PowOK |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] a3038f31e277619a01a5c88cbbaca5d00a92a080 6709 6708 2019-04-05T19:38:51Z DiscoStarslayer 2509 Had the pinout up-side down. Fixed the pin layout wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || POWOK |- | Pin 2 || POWON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {{citation needed|reason=Need to validate this pinout on an actual machine, I don't have one to test.}} {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None {{citation needed}} |- | Pin 4 || None {{citation needed}} || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V Standby {{citation needed}} |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || GND |- | Pin 10 || +5V || Pin 10 || +12V |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 7854736ee6abc9d32f9997b5b7c90a11f031a844 6710 6709 2019-04-05T19:49:19Z DiscoStarslayer 2509 Update 1.6 xbox voltages as confirmed by xbox7887 wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || POWOK |- | Pin 2 || POWON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] bf8dfee86bf3acfe9ffa195913dfacdd21d3e4f6 6711 6710 2019-04-05T20:03:54Z DiscoStarslayer 2509 Consistent casing wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || PowOK |- | Pin 2 || PowON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 5af11e6a287f560e645b3bcde7ad932a4d7a8bd2 0 3824 6712 5939 2019-04-08T03:31:31Z Redherring32 2513 wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452534 "Portion of an electronic housing" (not a dupe, its the top X shape in detail) * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2003-05-09 by Microsoft: https://www.google.com/patents/US8493326 "Controller with removably attachable text input device" (an early keypad, later revered to by the 360 keypad patent) * Filed 0023-05-09 by Micorsoft: https://www.google.com/patents/US7116311 "Embedded text input " (reffered to by the 360 chatpad) * Filed 2006-07-03 by Micorsoft: https://www.google.com/patents/US7804484 "Embedded text input " (probably a corrected version of US7116311, reffered to by the 360 chatpad, a picture of the "Baretta" chatpad, https://assemblergames.com/threads/xbox-chatpad-unreleased.54523/ * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2003-08-21 by Friendtech: https://www.google.com/patents/US20050282621 "CPU upgrading adapter for a Microsoft XboxTM game machine" * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") * Filed 2001-04-30 by Microsoft: https://www.google.com/patents/US20020160654 "Breakaway cable connector" (filed by Microsofts attorneys) * Filed 2004-22-02 by Microsoft: https://patents.google.com/patent/US7303476 "Method and apparatus for creating and playing soundtracks in a gaming system" * Filed 2002-05-16 by Microsoft: https://patents.google.com/patent/US6935959 "Use of multiple player real-time voice communications on a gaming device" * Filed 2001-03-09 by Microsoft: https://patents.google.com/patent/US7218739B2 "Multiple user authentication for online console-based gaming" * Filed 2005-03-09 by Microsoft: https://patents.google.com/patent/US7811174B2 "Method and apparatus for managing data in a gaming system" Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.com/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.com/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.com/patents/US8602897 "Extended and editable gamer profile" * Filed 2007-12-07 by Microsoft: https://www.google.com/patents/US8487876 "Ergonomic hand-held text input device " (The xbox 360 chatpad, wich mentions the OG textpad US8493326 and US7116311 ;) ) 085ff71d68fd34fadb151a693b0d2230990b5bb8 0 3751 6713 6538 2019-04-22T05:55:37Z JayFoxRox 2 Fix typo wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] b1b5710e0ed922a819af50b3b9d869b3b194dc07 0 3982 6714 2019-04-30T02:17:40Z JayFoxRox 2 Created page with "=== Supported information classes === * FATX: FileBasicInformation, FileRenameInformation, FileDispositionInformation, FilePositionInformation, FileAllocationInformation, Fil..." wikitext text/x-wiki === Supported information classes === * FATX: FileBasicInformation, FileRenameInformation, FileDispositionInformation, FilePositionInformation, FileAllocationInformation, FileEndOfFileInformation * Xbox DVD: FilePositionInformation * UDF: FilePositionInformation * Raw access: FilePositionInformation 26aa38bbdd803691088ea8dfc842ec016be1fecf 0 3983 6715 2019-04-30T02:17:48Z JayFoxRox 2 Created page with "=== Supported information classes === * FATX: FileInternalInformation, FilePositionInformation, FileNetworkOpenInformation * Xbox DVD: FileInternalInformation, FilePositionIn..." wikitext text/x-wiki === Supported information classes === * FATX: FileInternalInformation, FilePositionInformation, FileNetworkOpenInformation * Xbox DVD: FileInternalInformation, FilePositionInformation, FileNetworkOpenInformation * UDF: FileInternalInformation, FilePositionInformation, FileNetworkOpenInformation * Raw access: FilePositionInformation 485a89439bf0cfe072c165be1444b8f110bcb076 0 3742 6716 6588 2019-05-05T18:53:23Z JayFoxRox 2 Make read checksum code more readable wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe & Australia |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) 1 byte at offset 0x90 data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Language !! EEPROM Value @ 0x90 |- | English | 0x01 |- | Japanese | 0x02 |- | German | 0x03 |- | French | 0x04 |- | Spanish | 0x05 |- | Italian | 0x06 |- | Korean | 0x07 |- | Chinese | 0x08 |- | Portuguese | 0x09 |} |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Thanks! */ void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) { unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4); int pos=0; memset(crc,0x00,4); memset(CRC_Data,0x00, dataLen+4); //Circle shift input data one byte right memcpy(CRC_Data + 0x01 , data, dataLen-1); memcpy(CRC_Data, data + dataLen-1, 0x01); for (pos=0; pos&lt;4; ++pos) { unsigned short CRCPosVal = 0xFFFF; unsigned long l; for (l=pos; l&lt;dataLen; l+=4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &amp;= 0xFF00; crc[pos] = (unsigned char) (CRCPosVal &gt;&gt; 8); } free(CRC_Data); } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] e4495144a3ce6ae500d607da7445a343208b117d 6717 6716 2019-05-05T19:01:50Z JayFoxRox 2 Make checksum code more readable wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x01 = North America * 0x02 = Japan * 0x04 = Europe & Australia |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) 1 byte at offset 0x90 data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Language !! EEPROM Value @ 0x90 |- | English | 0x01 |- | Japanese | 0x02 |- | German | 0x03 |- | French | 0x04 |- | Spanish | 0x05 |- | Italian | 0x06 |- | Korean | 0x07 |- | Chinese | 0x08 |- | Portuguese | 0x09 |} |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) 1 byte at offset 0x9C data 4-byte aligned adds the 3 remaining bytes of 0x00 {| class="wikitable" ! Xbox Game Rating !! EEPROM Value @ 0x9C |- | (RP) Rating Pending (Max) | 0x00 |- | (AO) Adults Only | 0x01 |- | (M) Mature | 0x02 |- | (T) Teen | 0x03 |- | (E) Everyone | 0x04 |- | (K-A) Kids to Adults | 0x05 |- | (EC) Early Childhood | 0x06 |} |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} Note:{{FIXME|reason=Not sure this is the proper place to describe and formatting sucks not used mediawiki that much still learning}} * EEPROM offset 0xA0: <code>23 14 00 00</code> * Little Endian value 0x00001423. * The pass code is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code is only 2 bytes not 4, each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. * Data in the EEPROM is aligned to double word (4-byte) boundaries. Thus, the two extra bytes at 0xA2 and 0xA3 of 0x00. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) only 1 byte necessary, the 3 remaining bytes for multiple of 4-byte data alignment{{FIXME|reason=Re-word alignment description. The reason for the extra 3 bytes.}} {| class="wikitable" ! Xbox Movie Rating !! EEPROM Value @ 0xA4 |- | 8 (Max) | 0x00 |- | 7 (NC-17) | 0x01 |- | 6 (R) | 0x02 |- | 5 | 0x03 |- | 4 (PG-13) | 0x04 |- | 3 (PG) | 0x05 |- | 2 | 0x06 |- | 1 (G) | 0x07 |} |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this region |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. ==The HMAC HDD Key== The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly. ==The Region Code== This DWORD is encrypted. It corresponds to the region code in the XBE header: {| class="wikitable" |- | 0x00000001 | North America |- | 0x00000002 | Japan |- | 0x00000004 | Europe / Australia |- | 0x80000000 | Manufacturing plant |} ==The MAC address== This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. ==DVD Region== This DWORD corresponds to the region code for playback of DVD movies: {| class="wikitable" |- | 0x00000000 | None |- | 0x00000001 | Region 1 |- | ... | ... |- | 0x00000006 | Region 6 |} == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal << 8); } free(CRC_Data); return *(uint32_t*)&checksum; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] a595ec2ca046716430d587e366c145992d621b59 6718 6717 2019-05-05T19:28:09Z JayFoxRox 2 Refactor wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x??=Normal{{FIXME}} * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal << 8); } free(CRC_Data); return *(uint32_t*)&checksum; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] e1fc65edd01fd1cef4751574ec2459c152ec1f84 6728 6718 2019-06-12T07:00:09Z Dracc 2502 Video settings "Normal" confirmed wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings Offset 0x96: * 0x00=Normal * 0xB0=Widescreen * 0xB4=Letterbox |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal << 8); } free(CRC_Data); return *(uint32_t*)&checksum; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] df31b55543b0b91423bbaa7e0f1a758304b930f3 6729 6728 2019-06-12T09:31:57Z JayFoxRox 2 Add video setting information by LukeUsher and wutno wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings * 0x00080000 = 480p * 0x00020000 = 720p * 0x00040000 = 1080i * 0x00010000 = Widescreen{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00100000 = Letterbox{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00400000 = 60Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} * 0x00800000 = 50Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} |- | 0x98 | 0x9B | Audio Settings |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal << 8); } free(CRC_Data); return *(uint32_t*)&checksum; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 2a3d8535d770087a5804b44bfa361a409c43ca6c 6730 6729 2019-06-12T16:06:33Z Dracc 2502 Add Audio settings as described by LukeUsher wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings * 0x00080000 = 480p * 0x00020000 = 720p * 0x00040000 = 1080i * 0x00010000 = Widescreen{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00100000 = Letterbox{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00400000 = 60Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} * 0x00800000 = 50Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} |- | 0x98 | 0x9B | Audio Settings * Channels * 0x00000000 = Stereo * 0x00000001 = Mono * 0x00000002 = Surround * Flags * 0x00010000 = Enable AC3 * 0x00020000 = Enable DTS |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal << 8); } free(CRC_Data); return *(uint32_t*)&checksum; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] cc6ffcfd7c7c7b8dfa3c42084532a70c70d6e7fb 6731 6730 2019-06-12T16:07:25Z Dracc 2502 /* Contents */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings * 0x00080000 = 480p * 0x00020000 = 720p * 0x00040000 = 1080i * 0x00010000 = Widescreen{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00100000 = Letterbox{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00400000 = 60Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} * 0x00800000 = 50Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} |- | 0x98 | 0x9B | Audio Settings * 0x00000000 = Stereo * 0x00000001 = Mono * 0x00000002 = Surround * 0x00010000 = Enable AC3 * 0x00020000 = Enable DTS |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal << 8); } free(CRC_Data); return *(uint32_t*)&checksum; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 98a441614344e7c452aa94e381e1a3feccd68cd7 0 3984 6719 2019-05-20T21:06:36Z JayFoxRox 2 Created page with "The communication protocol is documented at https://xboxdevwiki.net/PIC#The_LED" wikitext text/x-wiki The communication protocol is documented at https://xboxdevwiki.net/PIC#The_LED 9440a6a2bed131ba2b25dfde817f884cdcadd994 6721 6719 2019-05-25T14:47:10Z Ernegien 2491 wikitext text/x-wiki The communication protocol is documented at https://xboxdevwiki.net/PIC#The_LED The Xbox's front LED is driven by the PIC16LC63A (SMC) motherboard component. Upon startup, a set of 4 time slots are reserved for it and looped in succession. The first three slots consume 180 ms (milliseconds) and the last 200 ms for a total of 740 ms per full LED cycle. The time slot used for the first color in a cycle depends on when (specific timing TBD) the SMBus set led command was executed relative to the PIC startup, therefore we cannot easily predict which color gets the additional 20 ms via emulation at the moment; what we can assume however is each full pattern takes 740 ms and each emulated blink should take 185 ms to account for the 20 ms delay evenly dispersed throughout. An LED cycle can be interrupted (specific timing TBD) but the currently shown color is displayed for its full time slot before honoring the new cycle request. c891394cb861c63ea9ccf351e18c39b7aa43d400 6722 6721 2019-05-25T15:02:03Z Ernegien 2491 wikitext text/x-wiki The communication protocol is documented at https://xboxdevwiki.net/PIC#The_LED The Xbox's front LED is driven by the PIC16LC63A (SMC) motherboard component. Upon startup, a set of 4 time slots are reserved for it and looped in succession. The first three slots consume 180 ms (milliseconds) and the last 200 ms for a total of 740 ms per full LED cycle. The time slot used for the first color in a cycle depends on when (specific timing TBD) the SMBus set led command was executed relative to the PIC startup, therefore we cannot easily predict which color gets the additional 20 ms via emulation at the moment; what we can assume however is each full cycle takes 740 ms. An LED cycle can be interrupted (specific timing TBD) but the currently shown color is displayed for its full time slot before honoring the new cycle request. b78003d877796974b58e5bbed93986e596323fed 1 3895 6720 6231 2019-05-24T16:51:56Z JayFoxRox 2 Just bricked a TS-H352A kreon candidate; leaving notes wikitext text/x-wiki == Drive with modded firmwares == There seems to be some overlap / similarities in the following devices: * https://fccid.io/TSS-TS-H353 = TS-H353, TS-H353A, SH-D163, SH-D163A, SD-M2013, SH-D163B * https://fccid.io/E-H023-00-4752 = SD-616, TS-H352, TS-H352A, SD-M1912, SH-D162, SH-D162C, SD-M2012, TS-H943 Noteworthy that TS-H943 is the 360 Drive! It has (i)Xtreme and 0800 available. Most other drives have been confirmed to work with Kreons firmware. We should figure out which of those drives are supported by the same firmware even. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 04:09, 16 September 2017 (PDT) Update about TS-H352A: I tried flashing my TS-H352A with a modified SH-D162C_TS05_KREON_V100.bin firmware (by only changing the footer of the file, to match the drive model). I flashed using sfdnwin.exe on Windows 10, while debugging the flasher code through IDA Pro, and stepping through each DeviceIoControl call (so flashing was slow). The drive stopped working after that (no response, no LED, no motors = dead) - I got the impression it just heats up now. I might attempt to recover the drive by replacing the on-board flash; the original revision was firmare TS03. For comparisons with other drive; the following main-components (on drive PCB): - MT1358E - BD7909FS: motor driver - EliteMT M11B416256A: 256 K x 16 DRAM EDO PAGE MODE - SST 39SF020A: 2 Mbit (x8) Multi-Purpose Flash (sticker: "TS03\nCAA1") The update image size is exactly 256kiB, so it's probably on flash with no changes. The firmware image looks very similar to the mentioned kreon SH-162C, so it was worth a try. The firmware image of SH-162D looked much different. If I were to try this again, I'd probably start by diffing kreon against it's original firmware, and trying to apply the same patches to the TS-H352A. --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 09:51, 24 May 2019 (PDT) d9c1275053bd0e41338fb356c2203ecac97e012b 0 11 6723 6694 2019-06-05T13:45:29Z JayFoxRox 2 `lsusb -vvv` descriptor by Duck (via XboxDev Discord) wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x03{{FIXME|reason=WTF?! Might be bad?}} | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 7c9013b120b516cd86e519595c8cc4409ebf5bf8 0 3985 6724 2019-06-11T12:16:55Z Dracc 2502 Created page with "{| class="wikitable" !Offset !Size !Description |- |0x1020 |4 |Static IP Address |- |0x1024 |4 |Static Subnet Mask |- |0x1028 |4 |Static Default Gateway |- |0x102C |4 |Static..." wikitext text/x-wiki {| class="wikitable" !Offset !Size !Description |- |0x1020 |4 |Static IP Address |- |0x1024 |4 |Static Subnet Mask |- |0x1028 |4 |Static Default Gateway |- |0x102C |4 |Static Primary DNS Server |- |0x1030 |4 |Static Secondary DNS Server |- |0x1034 |32 !(Unknown padding) |- |0x1054 |4 |Xbox Live IP Address |- |0x1058 |4 |Xbox Live Subnet Mask |- |0x105C |4 |Xbox Live Default Gateway |- |0x1060 |4 |Xbox Live Primary DNS Server |- |0x1064 |4 |Xbox Live Secondary DNS Server |- |0x1068 |40 |Xbox Live Hostname |- |0x1090 |64 |Xbox Live PPPOE Username |- |0x10D0 |64 |Xbox Live PPPOE Password |- |0x1110 |40 !(Unknown padding) |- |0x1138 |40 |Xbox Live PPPOE Service Name |- |0x1160 |12 !(Unknown) |- |0x116C |4 |DHCP IP Address |- |0x1170 |4 |DHCP Subnet Mask |- |0x1174 |4 |DHCP Default Gateway |- |0x1178 |4 |DHCP Primary DNS Server |- |0x117C |4 |DHCP Secondary DNS Server |- |0x1180 |4 |PPPOE IP Address (?) |- |0x1184 |4 |PPPOE Subnet Mask (?) |- |0x1188 |4 |PPPOE Gateway Address (?) |- |0x118C |4 |PPPOE Primary DNS Server (?) |- |0x1190 |4 |PPPOE Secondary DNS Server (?) |} ==References== * [https://archive.fo/c9s3B Xbox live (accounts, xqemu and MU) | ASSEMbler - Home of the obscure (archive.org)] 2360a37524188d33625fdb0155583db538fccc31 6732 6724 2019-06-12T18:32:13Z Dracc 2502 Updated reference link to a working one wikitext text/x-wiki {| class="wikitable" !Offset !Size !Description |- |0x1020 |4 |Static IP Address |- |0x1024 |4 |Static Subnet Mask |- |0x1028 |4 |Static Default Gateway |- |0x102C |4 |Static Primary DNS Server |- |0x1030 |4 |Static Secondary DNS Server |- |0x1034 |32 !(Unknown padding) |- |0x1054 |4 |Xbox Live IP Address |- |0x1058 |4 |Xbox Live Subnet Mask |- |0x105C |4 |Xbox Live Default Gateway |- |0x1060 |4 |Xbox Live Primary DNS Server |- |0x1064 |4 |Xbox Live Secondary DNS Server |- |0x1068 |40 |Xbox Live Hostname |- |0x1090 |64 |Xbox Live PPPOE Username |- |0x10D0 |64 |Xbox Live PPPOE Password |- |0x1110 |40 !(Unknown padding) |- |0x1138 |40 |Xbox Live PPPOE Service Name |- |0x1160 |12 !(Unknown) |- |0x116C |4 |DHCP IP Address |- |0x1170 |4 |DHCP Subnet Mask |- |0x1174 |4 |DHCP Default Gateway |- |0x1178 |4 |DHCP Primary DNS Server |- |0x117C |4 |DHCP Secondary DNS Server |- |0x1180 |4 |PPPOE IP Address (?) |- |0x1184 |4 |PPPOE Subnet Mask (?) |- |0x1188 |4 |PPPOE Gateway Address (?) |- |0x118C |4 |PPPOE Primary DNS Server (?) |- |0x1190 |4 |PPPOE Secondary DNS Server (?) |} ==References== * [https://web.archive.org/web/20190604222002/https://assemblergames.com/threads/xbox-live-accounts-xqemu-and-mu.60352/ Xbox live (accounts, xqemu and MU) | ASSEMbler - Home of the obscure (archive.org)] af46118575e968d97d2d02c5efdb3804bcf62263 0 1 6725 6623 2019-06-11T12:18:11Z Dracc 2502 Added Config Sector to the listing wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug| Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 4591d0ae522e29d2967fe0c3b123ea3a47c37231 0 3782 6726 5624 2019-06-11T16:30:04Z JayFoxRox 2 Add our own article wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Partitioning|ours=Hard Drive}} by ''Michael Steil'' (original version: 8 May 2002) The Xbox uses a hard disk partitioning scheme that is hardwired into the kernel. The hard disk consists of a header, 3 game cache partitions, a system partition and a data partition: {| class="wikitable" |- ! Offset ! Size ! Description |- | 0&nbsp;MB<br /><code>0x00000000</code> | 0.5&nbsp;MB | '''Disk Config Area''' <br />This partition contains no filesystem. Various configuration data is stored on fixed offsets.<br />Linux device: <code>none</code> |- | 0.5&nbsp;MB<br /><code>0x00000400</code> | 750&nbsp;MB | '''Game Cache A''' (Drive X:)<br />FATX volume containing temporary data of a game for faster access.<br />Linux device: <code>/dev/hda52</code> |- | 750.5&nbsp;MB<br /><code>0x00177400</code> | 750&nbsp;MB | '''Game Cache B''' (Drive Y:)<br />Linux device: <code>/dev/hda53</code> |- | 1500.5&nbsp;MB<br /><code>0x002EE400</code> | 750&nbsp;MB | '''Game Cache C''' (Drive Z:)<br />Linux device: <code>/dev/hda54</code> |- | 2250.5&nbsp;MB<br /><code>0x00465400</code> | 500&nbsp;MB | '''System Files''' (Drive C:)<br />FATX volume containing menu code, graphics, sound, DVD player, music import,&nbsp;...<br />Linux device: <code>/dev/hda51</code> |- | 2750.5&nbsp;MB<br /><code>0x0055F400</code> | 4895&nbsp;MB | '''Data''' (Drive E:)<br />FATX volume containing saved games and imported CD audio tracks.<br />Linux device: <code>/dev/hda50</code> |- ! ! ! '''Non-Standard partitions on disks &gt;8GB''' |- | 7645.5&nbsp;MB<br /><code>0x00EE8AB0</code> | 1896&nbsp;MB<br />- 130&nbsp;GB | '''Unused/Additional''' (Drive F:)<br />The first xboxes had a 8GB disk, later versions came with a 10GB disk. This the space difference between the two and not used. Some tools allow it to be used as additional FATX filesystem<br />Linux device: <code>/dev/hda55</code> (only present if signature of formatted FATX found)<br />Linux assumes that all remaining space on the disk belongs to this partition unless another FATX filesystem is detected at the LBA28 boundary. See below. |- | 137&nbsp;GB<br /><code>0x0FFFFFFF</code> | remaining space | '''LBA28''' (Drive G:)<br />If you install a very big disk some tools are limited by the LBA24 boundary. The drive G allows this space to be used in a separate drive, only accessible to LBA48 capable tools and BIOS'es.<br />Linux device: <code>/dev/hda56</code> (only present if signature of formatted FATX found at LBA24 boundary)<br />Linux assumes that all remaining space on the disk belongs to this partition. |} This table has been completed by Markus Baertschi with lots of stuff. There might be errors and misconceptions, caveat emptor&nbsp;! {| class="wikitable" |- ! '''Missing image'''<br />''Icon-admonition-tip.png'' <br />Tip<br /><br /> | For a more detailed description of the format and contents of the partitions see [https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Partitioning_and_Filesystem_Details Xbox Partitioning and Filesystem Details].|} 07a483b02e8c4961c4e95a8c2245e61936e178be 0 3707 6727 6620 2019-06-11T16:32:58Z JayFoxRox 2 Link Config Area and add some FIXMEs wikitext text/x-wiki The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter{{FIXME|reason=This is under control of running application / variation even in official products?}} ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | N/A | [[Config Sector|Config Area]] | 0x00000000 | 0x00080000 | Fixed Structure | N/A |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition3 |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition4 |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition5 |- | C | System | 0x8ca80000 | 0x1f400000 | FATX | \Device\Harddisk0\Partition2 |- | E | Data | 0xabe80000 | 0x131f00000 | FATX | \Device\Harddisk0\Partition1 |} ::::::::::::::::::::::''side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"'' ::::::::::::::::::::::''and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"''{{FIXME|reason=Mark as unofficial / homebrew}} :::::::::::::::::::::::::&nbsp;&nbsp;&nbsp;''added Drive "G:" <=> "\Device\Harddisk0\Partition7"''{{FIXME|reason=Mark as unofficial / homebrew}} '''Debug/Devkit HDD:''' {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] |- |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] * [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] 901e4f34f87a6d46de298d376b4e62aec75153d4 0 3817 6733 6441 2019-06-23T18:06:51Z Redherring32 2513 /* Connector */ wikitext text/x-wiki Microsoft has released a handful of '''Audio Video Cables''' for the [[Xbox]], which they refer to internally as '''AV Packs'''. They are connected to the port labelled "Audio Video Input/Output" on the backside of the console. == Connector == {{FIXME|reason=Describe the connector here - is it a standard part? add an image, add the pinout graphics (didn't copy from elsewhere because clearly microsoft copyright)}} === Pinout === The following table gives the pinout in the way it is arranged on the '''XBOX AVIP''' cables, or '''AV Packs'''. The other end is reversed and on the console. {| class="wikitable" !Description |Audio Right |Audio Right GND |SPDIF Digital Audio |V-Sync (VGA Mode) |Mode GND |Mode GND |Mode GND |GND |Variable |9 GND |Variable |11 GND |- !Pin !1 !2 !3 !4 !5 !6 !7 !8 !9 !10 !11 !12 |- !Pin !13 !14 !15 !16 !17 !18 !19 !20 !21 !22 !23 !24 |- !Description |Vcc |Audio Left |Audio Left GND |H Sync (VGA Mode) |Mode Select 1 |Mode Select 2 |Mode Select 3 |(+12V) |22 GND |Variable |24 GND |Variable |} == Supported signals / AV cables == Below is a table which lists all known officially '''AV cables''' released by Microsoft and their respective signal. The constants used in the av-prefixed Kernel-functions are also listed. {| class="wikitable" ! Pin 19 || Pin 18 || Pin 17 || SMC Constant || Region || Official Microsoft product name ! Signal || Pin 24 || Pin 22 || Pin 11 || Pin 9 || Kernel av-Constant |- | 0 || 0 || 0 || 0 || PAL || [https://web.archive.org/web/20040216131316/http://www.xbox.com:80/en-gb/hardware/scartcable.htm Advanced SCART Cable] | SCART (15 kHz RGB) Stereo || V || R || G || B || AV_PACK_SCART = 3 |- | 0 || 0 || 1 || 1 || NTSC || [https://web.archive.org/web/20040210040422/http://www.xbox.com:80/en-US/hardware/highdefinitionavpack.htm High Definition AV Pack] | Component SPDIF || - || Pr || Y || Pb || AV_PACK_HDTV = 4 |- | 0 || 1 || 0 || 2 || - || ''Not officially available / supported'' | VGA (31 kHz RGB) Stereo || - || R || G || B || AV_PACK_VGA = 5 |- | 0 || 1 || 1 || 3 || NTSC / PAL || [https://web.archive.org/web/20040319001330/http://www.xbox.com:80/en-us/hardware/rfadapter.htm RF Adapter] | RF Mono || V || C || Y || - || AV_PACK_RFU = 2 |- | 1 || 0 || 0 || 4 || NTSC || [https://web.archive.org/web/20040319001247/http://www.xbox.com:80/en-us/hardware/advancedavpack.htm Advanced AV Pack] | S-Video Stereo || V || C || Y || - || AV_PACK_SVIDEO = 6 |- | 1 || 0 || 1 || 5 || - || ''Not officially available / supported'' | Unknown Mono || V || C || Y || - || AV_PACK_NONE = 0 |- | 1 || 1 || 0 || 6 || PAL || [https://web.archive.org/web/20040216130745/http://www.xbox.com:80/en-gb/hardware/avcable.htm Standard AV Cable] | Composite Stereo || V || C || Y || - || AV_PACK_STANDARD = 1 |- | 1 || 1 || 1 || 7 || - || ''No cable connected'' | - || - || - || - || - || AV_PACK_NONE = 0 |} A signal value of 0 means connection to ground (Pins 7, 6, 5), whereas a value of 1 means an open-connection{{citation needed|reason=Are these still connected to Vcc maybe?}} The region only identifies which territory the cable was originally available / intended for. The kernel still might support other video-standards (NTSC / PAL / SECAM) using the same cable. {{FIXME|reason=Add a list of AV cables with pictures and their supported video modes using the official kernel}} == Related links == * [http://www.gamesx.com/avpinouts/xbox.htm GamesX List of signals and pinout] * [https://assemblergames.com/attachments/xboxavippinouttr0-png.13081/ ASSEMBLERgames XBOX AV pinout] * [http://ucon64.sourceforge.net/ucon64misc/conn.html uCON64 Connectors] 334db85ae3a554d452bb538d009c5fa6bfac87ee 0 3821 6734 6507 2019-06-23T18:18:26Z Redherring32 2513 wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding which files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and possibly potential faults that could occur. The Hardware required for this was a Developement kit, (with the DVD emulation board) some sort of scsi cable, and an XDK-Raptor card.{{citation needed}} The complete kit, a Raptor PCI Scsi card and Hardisk was numbered: 940-75004 Rev.01 two or more versions of the PCI scsi card are known: * 700-75307 Rev.01 * 700-75307 Rev 03 [https://assemblergames.com/threads/sealed-xbox-raptor-card-for-xdk-dvd-emu.41763/ Assemblergames](posibly same as rev1?) The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. This wasn't the fastest way to get an executable to the Xbox for development, and is useless for Homebrew.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} [http://codeasm.com/xbox/images/dvt4/SL734877.JPG Picture]{{FIXME|reason=Contact codeasm about more pics / without watermarks}} == Resources == * [https://imgur.com/a/ROMYa Images (CC0 License) by Codeasm with detailed shots of the DVD emulation board and serial board] 1a5530adb2907c2fb60c2638fa76e48aec91fc7d 0 8 6735 6638 2019-06-25T22:03:20Z JayFoxRox 2 Some corrections based on https://github.com/XboxDev/nxdk/blob/master/tools/fp20compiler/ps1.0_program.cpp#L227 wikitext text/x-wiki The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texturing modes == {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. == References and links == * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable fragment shading] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] 988a9c0122c74f1d76a7fb28907c60d552004a29 0 10 6736 6639 2019-06-25T22:12:43Z JayFoxRox 2 Add link to NV texture fomat list, and XQEMU links for signedness and convolution wikitext text/x-wiki == Texture formats == * [http://download.nvidia.com/developer/OpenGL_Texture_Formats/nv_ogl_texture_formats.pdf List of implemented texture formats, according to NVIDIA] === Texture decoding / sampling === The textures are sampled by the texture shader portion of [[NV2A/Pixel_Combiner]]. ==== Texture signedness ==== Each component of the texture can be either signed (two's-complement) or unsigned.[https://github.com/xqemu/xqemu/issues/75]{{FIXME|reason=Research and collect information here}}. ==== Texture filtering ==== The GPU implements the standard texture filters as known from OpenGL. In addition, it supports convolution filters[https://github.com/xqemu/xqemu/issues/238]{{FIXME|reason=Research and collect information here}}. == Framebuffer formats == [[Category:NV2A]] ee3e1f55f663c7c6f601973ddcd9a623bc9e1d9c 6737 6736 2019-06-27T20:28:11Z JayFoxRox 2 Dummy info about O and Z fields, and list of formats (should link to nouveau or XQEMU instead in future) wikitext text/x-wiki == Texture formats == * [http://download.nvidia.com/developer/OpenGL_Texture_Formats/nv_ogl_texture_formats.pdf List of implemented texture formats, according to NVIDIA] === Texture decoding / sampling === The textures are sampled by the texture shader portion of [[NV2A/Pixel_Combiner]]. ==== Texture signedness ==== Each component of the texture can be either signed (two's-complement) or unsigned.[https://github.com/xqemu/xqemu/issues/75]{{FIXME|reason=Research and collect information here}}. ==== Texture filtering ==== The GPU implements the standard texture filters as known from OpenGL. In addition, it supports convolution filters[https://github.com/xqemu/xqemu/issues/238]{{FIXME|reason=Research and collect information here}}. == Framebuffer formats == Surfaces are rendertargets of the GPU, they can be swizzled or linear. Additionally, they can be optimized using tiling{{FIXME|reason=Document tiling}}. {{FIXME|reason=Link to nouveau documentation instead; this section shouldn't be here}} === Color === Z and O stand for Zero and One respectively. These fields will always be cleared (Zero) or all bis will be set (One). * NV097_SET_SURFACE_FORMAT_COLOR_LE_X1R5G5B5_Z1R5G5B5 * NV097_SET_SURFACE_FORMAT_COLOR_LE_X1R5G5B5_O1R5G5B5 * NV097_SET_SURFACE_FORMAT_COLOR_LE_R5G6B5 * NV097_SET_SURFACE_FORMAT_COLOR_LE_X8R8G8B8_Z8R8G8B8 * NV097_SET_SURFACE_FORMAT_COLOR_LE_X8R8G8B8_O8R8G8B8 * NV097_SET_SURFACE_FORMAT_COLOR_LE_X1A7R8G8B8_Z1A7R8G8B8 * NV097_SET_SURFACE_FORMAT_COLOR_LE_X1A7R8G8B8_O1A7R8G8B8 * NV097_SET_SURFACE_FORMAT_COLOR_LE_A8R8G8B8 * NV097_SET_SURFACE_FORMAT_COLOR_LE_B8 (not suitable for displaying) * NV097_SET_SURFACE_FORMAT_COLOR_LE_G8B8 (not suitable for displaying) === Depth === The depth buffer can be configured to be fixed point or floating point. Additionally, the GPU allows hardware Z-Buffer compression{{FIXME|reason=Document compression}}. * NV097_SET_SURFACE_FORMAT_ZETA_Z16 * NV097_SET_SURFACE_FORMAT_ZETA_Z24S8 [[Category:NV2A]] 618ed67034875573e7eb2e12d45e30833de89834 0 3706 6738 6414 2019-07-13T08:17:30Z Wayo 2479 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Certificate == Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data * Signature key raw data (used to sign savefiles) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) == Xbox Alpha executable format== Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] ef937d767e440b451ac01b807f52384f809e6fd9 6739 6738 2019-07-13T08:28:42Z Wayo 2479 /* Certificate */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Certificate == Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign savefiles) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) == Xbox Alpha executable format== Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 3447526261006f952a36f51efb1271c281ab58d2 6740 6739 2019-07-13T08:31:17Z Wayo 2479 /* Certificate */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] === Sections === ==== .text ==== The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. ==== .rdata ==== The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. == Certificate == Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) == Xbox Alpha executable format== Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 774e745f4abbd4f30417068935c4617be3fca07b 6741 6740 2019-07-13T08:46:46Z Wayo 2479 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It always starts with the "Magic number" 0x48454258, which translates to "XBEH". Right after the header comes the digital signature for the executable. This signature is 256 bytes. = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format= Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] ced6a0a7c574fec9104dd029ecff9c122b8acbd9 6742 6741 2019-07-13T08:52:08Z Wayo 2479 /* Certificate */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It always starts with the "Magic number" 0x48454258, which translates to "XBEH". Right after the header comes the digital signature for the executable. This signature is 256 bytes. = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format= Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 9006877691988874cc413005ddf5d1e686b16122 0 3799 6743 6688 2019-07-14T01:21:03Z Haxar 2485 Include APU audio frame duration (0.6ms / 666.6us) wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). The APU consists of 3 main components for audio-processing: * VP: A fixed-function block, that generates 32 channel mono audio from voices; the audio is output to the GP MIXBUF. * GP: A programmable DSP, it is intended for general-purpose audio processing (programmable audio effects for example). * EP: A programmable DSP, it is intended for audio encoding (5.1 AC3 encoding for example). VP and GP are connected by the MIXBUF, but GP and EP are entirely independent, and no special-purpose memory area connects them. Therefore, the communication between the GP and EP typically happens through programmable DMA transfers (via FIFO or scratch memory). The GP and EP are based on the same DSP architecture, run at the same clockrate, and have the same functionality (the EP has less memory, and no direct access to the MIXBUF). So, theoretically, nothing prevents the GP from doing EP tasks or vice versa{{FIXME|reason=I have not seen counter-arguments}}. The APU does only audio-processing but no audio output. Hence, one of the DSPs typically uses programmable DMA to transfer the finished audio to system memory, where it can be read by other components (such as AC97). All audio processing by the APU is typically done in 24bit PCM. An APU audio frame is 32 samples long with a duration of 0.{{overline|6}}ms at 48000Hz, giving a total of 1500 frames per second. The MIXBUF therefore holds 1024 samples (32 channels * 32 samples/channel). === Glossary === * PRD = Physical Resource Descriptor (Same thing as SGE?!) * SGE = Scatter Gather Entry * SSL = Stream Segment List == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate segments of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** The best approximation I could come up with so far is: <code>255*pow(0.99988799,(DECAYRATE*16-COUNT)*4096/DECAYRATE)</code>. ** When the output level (not LVL!) reaches the sustain level the decay section is over (In my example above, this happens when the output level is less than 0.2 away from the sustain level; so if sustain is 0, the voice would switch to the sustain segment when a value below 0.2 is reached) ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound APIs. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] [[Category:APU]] 62079465bb7b596764a46341541e33e3c3b05663 6744 6743 2019-07-14T16:08:25Z JayFoxRox 2 The 48kHz samplerate is a key-design feature. The 32 sample length is a key-design feature. The 1500Hz (~1/0.666ms) is derived from said features. wikitext text/x-wiki The [[MCPX]] contains an APU (Audio Processing Unit). The APU consists of 3 main components for audio-processing: * VP: A fixed-function block, that generates 32 channel mono audio from voices; the audio is output to the GP MIXBUF. * GP: A programmable DSP, it is intended for general-purpose audio processing (programmable audio effects for example). * EP: A programmable DSP, it is intended for audio encoding (5.1 AC3 encoding for example). VP and GP are connected by the MIXBUF, but GP and EP are entirely independent, and no special-purpose memory area connects them. Therefore, the communication between the GP and EP typically happens through programmable DMA transfers (via FIFO or scratch memory). The GP and EP are based on the same DSP architecture, run at the same clockrate, and have the same functionality (the EP has less memory, and no direct access to the MIXBUF). So, theoretically, nothing prevents the GP from doing EP tasks or vice versa{{FIXME|reason=I have not seen counter-arguments}}. The APU does only audio-processing but no audio output. Hence, one of the DSPs typically uses programmable DMA to transfer the finished audio to system memory, where it can be read by other components (such as AC97). All audio processing by the APU is typically done in 24bit PCM at 48000Hz. An APU audio frame is 32 samples long. Therefore, there are 1500 frames per second, with a duration of 0.{{overline|6}}ms each. The MIXBUF holds 1024 samples (32 channels * 32 samples/channel). === Glossary === * PRD = Physical Resource Descriptor (Same thing as SGE?!) * SGE = Scatter Gather Entry * SSL = Stream Segment List == Frontend Engine (FE) == == Voice Processor (VP) == A powerful voice processor. There can be up to 256 voices [http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php][https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml] and 64[http://www.nvidia.com/object/IO_20010530_6177.html] of those can be 3D. Per-voice settings: * Input type (8bit, 16bit, 24bit, ADPCM) * 8 target bins, each with controllable volume for this voice * [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF) * [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO) * Pitch (~187.5 Hz to ~12285920.7 Hz) * Optionally one of the following filters modes: ** For 2D Mono: *** DLS2 Low-Pass *** Parametric Equalizer *** DLS2 Low-Pass + Parametric Equalizer ** For 2D Stereo: *** DLS2 Low-Pass *** Parametric Equalizer ** For 3D: *** DLS2 Low-Pass + I3DL2 Reverb *** Parametric Equalizer + I3DL2 Reverb *** I3DL2 Reverb * 2 Envelopes (DAHDSR: Delay, Attack, Hold, Decay, Sustain, Release) ** Amplitude Envelope ** Pitch / DLS2 Low-Pass Cutoff Envelope * Tracking of certain parameters ** Volume ** LFO parameters ** DLS2 Low-Pass parameters?{{FIXME|reason=Not 100% sure, also not sure if this also works for the other filters}} There are 32 bins which these voices will be mixed into. === Related APU memory === * VPV = VP Voices * VPHT = VP HRTF Target * VPHC = VP HRTF Current * VPSGE = VP SGEs * VPSSL = VP SSLs === Voice lists === The voices are kept in a single-linked list. There are 3 voice lists: * 2D * 3D * MP (Multipass?) === Voice structure === This is 0x80 bytes ==== Pitch calculation ==== The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas: <pre> p = 4096 * log2(f / 48000) f = pow2(p / 4096) * 48000 </pre> === LFO === === Tracking === Some of the parameters of the VP can be controlled by setting timing parameters. New values will then be slowly be adapted over time. {{FIXME}} === Envelopes === There are seperate segments of the envelopes, 2 registers (CUR and COUNT) per envelope keeps track of this and control the envelopes level (LVL): * 0: Off = Envelope is not used * 1: Delay = Time where envelope stays at 0% until attack ** COUNT register counts down from DELAYTIME. * 2: Attack = Rate at which the envelope goes from 0 to 100% ** COUNT register counts up to ATTACKRATE. ** LVL seems to be linear. * 3: Hold = Time the envelope stays at 100% ** COUNT register counts down from HOLDTIME. * 4: Decay = Rate at which the envelope goes from 100% to 0% ** COUNT register counts down from DECAYRATE. ** The LVL is not linear, it's a curve which drops steep at first and then slowly becomes level[https://docs.google.com/spreadsheets/d/1fNsfkvBfnlRQ9XplNnTgmh8jBaWJ56bvh2AVWn8B_k0/edit?usp=sharing] ** The best approximation I could come up with so far is: <code>255*pow(0.99988799,(DECAYRATE*16-COUNT)*4096/DECAYRATE)</code>. ** When the output level (not LVL!) reaches the sustain level the decay section is over (In my example above, this happens when the output level is less than 0.2 away from the sustain level; so if sustain is 0, the voice would switch to the sustain segment when a value below 0.2 is reached) ** Writes to the LVL register are ignored ** Writes to count (any value?) impact the LVL ** If the COUNT is larger than the decayrate the envelope will switch to the sustain state ** If the COUNT results in a smaller output level than the sustainlevel the envelope will switch to the sustain state * 5: Sustain = Level at which the envelope stays while the voice is being played ** COUNT register writes are ignored, it will stay at 0 ** LVL register writes are ignored, it will stay at the current sustain level * 6: Release = Rate at which the envelope goes from current level to 0% ** Can start at any time{{FIXME|reason=the voice state PERSIST has to do with this. Voice is released using NV1BA0_PIO_VOICE_RELEASE ?}} ** COUNT register starts at RELEASERATE, regardless of the current sustain level ** COUNT register counts down{{FIXME|reason=What happens when it reaches 0? DirectSound seems to turn off voice - or is the hw doing that?}} ** LVL is not updated during this phase (it will keep it's previous value) ** Writes to LVL have an impact on the output volume ** If the COUNT register is higher than the releaserate, the output will be silent and LVL will drop to zero ** The actual output level is probably determined like: <code>int(COUNT * LVL / (RELEASERATE * 16))</code>{{FIXME|reason=Test..}}{{FIXME|reason=Unknown output shape}} ** COUNT will keep counting until 0 even after the output level has hit 0 * 7: Force Release = Unknown still{{FIXME}} ** Seems to happen during invalid conditions? Happened to me when modifying ebo during playback{{citation needed|reason=Need to find out why this happens}} ** LVL and COUNT seem to be ignored during this, but writes go through? Output level seems to stay at 100% ? (I only got repeating 32 samples during this and the whole Xbox crashed shortly after) All durations are described using unsigned 12-bit times/rates. The level of sustain is stored unsigned in 8-bit. The COUNT register is stored in unsigned 16-bit. The 12-bit times/rates are multiplied by 16 when loading them into the 16-bit COUNT register. The COUNT register counts at 1500 Hz[https://docs.google.com/spreadsheets/d/11jxeJ9aey_TVkyiMmmd6SKuow4j4GR9E9fRZ6HXc2WU/edit#gid=396423867]. A unit in the COUNT register is therefore 0.{{overline|6}} ms. The 12-bit values of the envelope sections are given in units of 0.{{overline|6}} ms * 16 = 10.{{overline|6}} ms. This can also be written as 512 / (48000 Hz) = 10.{{overline|6}} ms. The maximum length of an envelope section is therefore 4095 * 10.{{overline|6}} ms = 43.68 seconds. As the envelope counter runs at a fixed clock speed, it is independent of the voice pitch and duration. If the Amplitude Envelope COUNT hits 0 during release, DirectSound{{FIXME|reason=Is this a hardware thing? I guess it makes sense..}} already deletes the voice, regardless of the Filter Envelope. The sustain level can be changed during playback. Also the attack register can be changed to a lower value while the counter is counting up, however, if the COUNTER does not compare equal to the set value, it will keep counting, even after an overflow. It will not leave the attack phase and keep counting until it sees value COUNTER / 16 in the attack register. If the attack register is set to a higher value while counting, the volume is going down again. Also, if the attack register value is zero while counting, there won't be any audio output during the attack phase. This indicates that the COUNT register is used to calculate the actual value from the current rates. The initial state of each envelope can be controlled by the NV1BA0_PIO_VOICE_ON command. It can either be: DISABLE, DELAY, ATTACK or HOLD. ==== Amplitude Envelope ==== The amplitude envelope is mixed with the volume during mixing. The volume registers are not modified. {{FIXME|reason=Is it multiplied on? Is it added? subtracted?}} It is not yet known how many bits of the envelope state are used. ==== Filter Envelope ==== {{FIXME|reason=Research}} The pitch scale is multiplied with the current envelope state and added to the current pitch during mixing. The pitch registers are not modified. <pre> f = 2^((signed_pitch+signed_pitch_mod*32*envelope_state_float)/4096)*48000 # envelope_state_float: [0, 1] </pre> It is not yet known how many bits of the envelope state are used. === Filters === ==== DLS2 ==== Formulas from DirectSound <pre> FreqToHardwareCoeff(frequency): # Input in Hz if (frequency < 30) { return 0x8000 } if (frequency > 8000) { return 0x0000 } FC = 2 * sin(PI * frequency / 48000) octaves = 4096 * log2(FC) return octaves & 0xFFFF hardware_coefficient[0] = FreqToHardwareCoeff(frequency) </pre> <pre> dBToHardwareCoeff(resonance): # Input in dB resonance = min(resonance, 22.5) Q = pow(10, -0.05 * resonance) return min(0xFFFF) hardware_coefficient[1] = dBToHardwareCoeff(resonance_in_db) </pre> Stuff from the DLS2 spec:{{FIXME|reason=Untested / unconfirmed. Most info comes from Merry of Citra}} There are 2 coeffiecents per channel: * F_c (Cutoff frequency) * resonance From Page 8 of "DLS 2.2 Version 1.0"[https://www.midi.org/specifications/item/dls-level-2-specification] * b_1 = -2 * r * cos(θ) * b_2 = r * r * K = g * (1 + b_1 + b_2) <pre> y[i] = K * x[i] - b_1 * y[i-1] - b_2 * y[i-2] </pre> Where y[i-2] and y[i-1] are the last two frames of the output and x[i] the current input. === Operation === Voices are stored in VPV. Input data (from the CPU) is loaded using VPSGE. Voices are then processed and written to the GP MIXBUF. == Global Processor (GP) == The GP is a DSP to do programmable audio processing on the voice bins. The GP DSP seems to run at 160 MHz. === MIXBUF === The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words. Each 0x20 word block represents one of the 32 voice bins of the VP. The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms. === Memory map === === Related APU memory === * GPS = GP Scratch (?) * GPF = GP FIFO == Encode Processor (EP) == The EP is a DSP to encode the audio signal. === Memory map === === Related APU memory === * EPS = EP Scratch (?) * EPF = EP FIFO == Usage in DirectSound == ''This topic deserves it's own article{{FIXME}}'' The bins are used {{FIXME|reason=How?}} DirectSound allows to load custom GP DSP code for a filter / effects chain. {{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}} The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through the filter chain. At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration. The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space. The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel). Each ringbuffer is 0x200 words and therefore holds the last 16 frames. Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory. The order of the channels in the ringbuffer is (also DMA order): * 0: Front Left * 1: Center{{citation needed}} * 2: Front Right * 3: Rear Left{{citation needed}} * 4: Rear Right{{citation needed}} * 5: [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}} The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory. The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}. {{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}} The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}. The EP code is loaded by DirectSound. The EP is not programmable using DirectSound APIs. === Modifications for Boot Animation === During the [[Boot Animation]] a different version of DirectSound is used. The EP is disabled in this case. The data is send to the ACI AC97 using GP FIFO channel 0 (PCM). There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}. == Related notes == * [[ACI]] * [[DSP]] * [[Xbox ADPCM]] * [http://www.nvidia.com/object/apu.html Information at NVIDIAs website] * [http://www.nvidia.com/attach/9004 "Technical Brief: NVIDIA nForce MCP Audio Processing Unit" by NVIDIA] * [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/ Scripts to inspect APU registers and voice buffers] * Filter information ** [https://de.mathworks.com/help/audio/examples/parametric-equalizer-design.html Something about Parametric Equalizers] ** [https://github.com/kcat/openal-soft/blob/master/Alc/effects/reverb.c Mentions I3DL2 Reverb] ** [https://www.midi.org/specifications/item/dls-level-2-specification DLS2 low-pass filter with resonance and dynamic filter cutoff frequency] [[Category:APU]] a7b45b7853925292bfffe4c340a8fd707c3d7181 0 3669 6747 6569 2019-07-16T05:49:24Z Redherring32 2513 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 3be8121f4386d52cf89d1fed8ef3a6316d3e1c11 0 3762 6748 6469 2019-07-16T17:55:11Z Redherring32 2513 wikitext text/x-wiki The Flash is a 256 kiB or 1 MiB [[Wikipedia:Flash_memory|non-volatile <abbr title="Thin Small Outline Package">TSOP</abbr> ROM chip]] and connected to the [[MCPX]] via the [[Wikipedia:Low Pin Count|<abbr title="Low Pin Count">LPC</abbr>]] bus. The Flash ROM is mapped at 0xFFF00000 (if the ROM is 1 MiB; 0xFFFC0000, if the ROM is 256 kiB) in the Xbox kernel. For the content of the Microsoft flash images see [[BIOS]]. 979ad504c7805d302c832135a9eb0837b6e8b40f 0 3756 6749 6107 2019-07-16T17:55:53Z Redherring32 2513 /* Xbox 1.0 */ wikitext text/x-wiki For a list of differences between these mainboards, also see [[Hardware Revisions]]. == Xbox 1.0 == [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] The following table is based on an Xbox 1.0{{citation needed}} retail board. {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} === USB Daughterboard === {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == Xbox 1.1 == {{FIXME}} == Xbox 1.2 == {{FIXME}} == Xbox 1.3 == {{FIXME}} == Xbox 1.4 == {{FIXME}} == Xbox 1.5 == {{FIXME}} == Xbox 1.6 == {{FIXME}} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm Documentation by PiXEL8] d0abde94640e2dd3e46a194144db2f5f8569f132 6778 6749 2019-10-03T08:47:24Z Teufelchen 2518 /* Xbox 1.0 */ wikitext text/x-wiki For a list of differences between these mainboards, also see [[Hardware Revisions]]. == Xbox 1.0 == [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] The following table is based on an Xbox 1.0{{citation needed}} retail board. {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} === USB Daughterboard === [[File:USB_Daughterboard_front.png|400px|thumb|right|Xbox Version 1.0 USB Daughterboard]] {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == Xbox 1.1 == {{FIXME}} == Xbox 1.2 == {{FIXME}} == Xbox 1.3 == {{FIXME}} == Xbox 1.4 == {{FIXME}} == Xbox 1.5 == {{FIXME}} == Xbox 1.6 == {{FIXME}} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm Documentation by PiXEL8] d8ca1634ca40e65541a8ebb756f3677d1313488c 6779 6778 2019-10-03T09:08:33Z Teufelchen 2518 /* Xbox 1.0 */ wikitext text/x-wiki For a list of differences between these mainboards, also see [[Hardware Revisions]]. == Xbox 1.0 == [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] The following table is based on an Xbox 1.0{{citation needed}} retail board. {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} === USB Daughterboard === [[File:USB_Daughterboard_front.png|100px|thumb|right|Xbox Version 1.0 USB Daughterboard]] {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == Xbox 1.1 == {{FIXME}} == Xbox 1.2 == {{FIXME}} == Xbox 1.3 == {{FIXME}} == Xbox 1.4 == {{FIXME}} == Xbox 1.5 == {{FIXME}} == Xbox 1.6 == {{FIXME}} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm Documentation by PiXEL8] 750e01baaee8b05a15af19721f611dc6dfd37052 0 3681 6750 6584 2019-07-16T17:59:05Z Redherring32 2513 wikitext text/x-wiki The CPU in the Xbox was a custom Pentium III running at 733MHz. The 'custom' part of this was that the Pentium III in the Xbox only had a 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. * [https://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/24542154.pdf Mobile Intel® Celeron® Processor (0.18μ and 0.13μ) Specification Update] This document should contain the errata for the Xbox CPU. * [https://www.google.com/patents/US20050282621 CPU upgrading adapter for a Microsoft XboxTM game machine] US Patent Application 20050282621 by Friendtech, filed 2003-08-21. c9967500b2b77629200da5f400365cd7ff042d21 6767 6750 2019-08-09T14:38:11Z PatrickvL 2473 Added Wikipedia link wikitext text/x-wiki The CPU in the Xbox was a custom Pentium III running at 733MHz. The 'custom' part of this was that the Pentium III in the Xbox only had a 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. * [https://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/24542154.pdf Mobile Intel® Celeron® Processor (0.18μ and 0.13μ) Specification Update] This document should contain the errata for the Xbox CPU. * Wikipedia - List of Intel Pentium III microprocessors - [https://en.wikipedia.org/wiki/List_of_Intel_Pentium_III_microprocessors#"Coppermine-128"_(180_nm)] * [https://www.google.com/patents/US20050282621 CPU upgrading adapter for a Microsoft XboxTM game machine] US Patent Application 20050282621 by Friendtech, filed 2003-08-21. 604df5d3c050ac1788f5e527f1ae7660063cc89c 6769 6767 2019-08-23T15:08:41Z JayFoxRox 2 Fix Wikipedia URL wikitext text/x-wiki The CPU in the Xbox was a custom Pentium III running at 733MHz. The 'custom' part of this was that the Pentium III in the Xbox only had a 128KB L2 cache instead of the usual 256KB. This allowed Microsoft to buy them at a bit of a discount and Intel to shift a few more CPUs{{citation needed}}. == References == * [http://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/28365403.pdf Mobile Intel® Celeron® Processor (0.18μ) in BGA2 and Micro-PGA2 Packages] This datasheet is for the mobile version Coppermine with 256kB L2 cache. It does not contain the Xbox Coppermine-128 with 128kB L2 cache at 733MHz (S-Spec SL5SN). No such datasheet exists. Both differences are pin compatible. * [https://www.intel.com/content/dam/support/us/en/documents/processors/mobile/celeron/sb/24542154.pdf Mobile Intel® Celeron® Processor (0.18μ and 0.13μ) Specification Update] This document should contain the errata for the Xbox CPU. * [https://en.wikipedia.org/wiki/List_of_Intel_Pentium_III_microprocessors#&quot;Coppermine&quot;_(180_nm) Wikipedia - List of Intel Pentium III microprocessors: "Coppermine" (180 nm)] * [https://www.google.com/patents/US20050282621 CPU upgrading adapter for a Microsoft XboxTM game machine] US Patent Application 20050282621 by Friendtech, filed 2003-08-21. 00aa112276ebeabe7bceb45029204e7c783b27cb 0 3675 6751 6640 2019-07-16T18:01:38Z Redherring32 2513 wikitext text/x-wiki The NV2A is the northbridge of the chipset, as well as the GPU. == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Notes == * [https://web.archive.org/web/20031004105935/http://developer.nvidia.com:80/object/nv30_emulation.html NV30 information and emulator] * [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf List of implemented GL extensions for NV10-NV30: "NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)", 13 Nov. 2006] [[Category:NV2A]] 02aa82fd3739c7672e883d3e2869d3e817e19bf5 0 3674 6752 6692 2019-07-16T18:03:14Z Redherring32 2513 wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory (and the motherboard has empty spots where these could have been) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 3f70d4ecd691626b86fe9a97da16d4f1709cc88a 0 3750 6753 6299 2019-07-18T16:03:08Z Codeasm 2480 /* Xcalibur */ the rom is on the LPC bus wikitext text/x-wiki The '''video encoder''' is a chip that converts a digital pixel data stream (coming from the nVidia NV2A graphics processor) into analog video signal, just like a [http://en.wikipedia.org/wiki/RAMDAC RAMDAC] would. An ordinary RAMDAC, however, can only output VGA-style RGB signal. The video encoder used in the Xbox is more flexible, and can generate several different types of signals that adhere to various video standards and color formats. These include, but are not necessarily limited to: * VGA-style &gt;31 kHz RGB, though only with Sync-on-Green sync signals. (If needed, separate HSYNC and VSYNC signals can be obtained from the motherboard, or by building a special video cable with active electronics for stripping and separating the Sync-on-Green sync signal. In any case, separate HSYNC and VSYNC are not available directly through the AV connector.) * TV-compatible 15 kHz RGB (with composite sync) &ndash; suitable for European-style SCART RGB output (are progressive 625/50 signals supported?) * Component (Y'PbPr) signal, both in SDTV and HDTV resolutions; suitable for American-style "component" output * PAL color signal with typical PAL timings (including PAL60), in both composite (CVBS) and s-video (Y/C) formats * SECAM color signal with typical SECAM timings, in both composite (CVBS) and s-video (Y/C) formats * NTSC color signal with typical NTSC timings, in both composite (CVBS) and s-video (Y/C) formats * Black and white composite video signal without a color carrier The video encoder is also capable of PALplus style Line 23 Wide Screen Signalling (WSS), and the Xbox PIC is rigged with the capability of controlling Scart pin 8 (the ''function switching pin'', which is used as an alternative method of Wide Screen Signalling) and pin 16 (the ''fast switching pin''.) The make and model of the video encoder has varied through the years &ndash; three different video encoders have been used thus far. All three are very similar in their features; they support various modes and are flexible enough to be able to output a VGA compatible signal (which is not supported by the Xbox kernel). They are, however, not register-compatible. Two of the video encoders (Conexant CX25871 and Focus FS454) also have extensive scaling and filtering functionality, which allows for [http://scanline.ca/overscan/ overscan compensation] in desktop-style "TV out" usage. This means that the GPU can output ordinary VGA resolutions with VGA timings and the video encoder can convert them to SDTV resolutions with TV-style timings on the fly, adding borders around the image so that a projection of the VGA framebuffer image falls within the "safe area" of the video signal. The capabilities of the Xcalibur chip, however, remain a mystery in this regard: it is not known whether it has a scaler. All video encoders are connected to (and controlled via) the [[SMBus]]. === Conexant CX25871 === The [http://www.alldatasheet.com/datasheet-pdf/pdf/153349/CONEXANT/CX25871.html Conexant CX25871] is a close relative of the Brooktree BT868/BT869. There is also a sister model (CX25870) without the Macrovision capability. This chip was used in Xbox versions 1.0 through 1.3. === Focus FS454 === The [https://www.manualslib.com/products/Focus-Fs454-211664.html Focus FS454] was used in v1.4 (and possibly v1.5) Xboxes. There is also a sister model (FS453) without the Macrovision capability. === Xcalibur === The Xcalibur video encoder is a custom chip manufactured for Microsoft. It was first used in Xbox hardware revision 1.6. Unfortunately, there is no official programming documentation available for this chip. It seems the only way to find out more is through reverse-engineering techniques. Xboxes that contain the Xcalibur encoder have the firmware ROM and the PIC physically integrated into another custom chip, named Xyclops. the ROM is put on the LPC bus [[https://web.archive.org/web/20180401042955/http://www.eurasia.nu/wiki/index.php/XboxXyclopsEventLog]] c24a778bbd8a94a76e5e2e0d8e92d9f2e4db97a0 0 3669 6754 6747 2019-07-30T21:03:13Z DarkGabbz 2486 Included 1.4/1.6 Video Encoder changes wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] e05e2767b3dcae45ea3de4456aad9ca5a0f79536 6755 6754 2019-07-30T21:05:46Z DarkGabbz 2486 Added Board Layout changes wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** New Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 05b050d037d7c0ad94c54605a8b81b89091831d1 6756 6755 2019-07-30T21:06:29Z DarkGabbz 2486 TSOP Stuffs wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** New Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 1c8b9a0ef7d010e4d58a5bb23a5b511849f7071a 6758 6756 2019-07-30T21:19:56Z DarkGabbz 2486 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 146331e7d91b876e7fd87ead71beadc664cb947a 6759 6758 2019-07-31T15:03:40Z Codeasm 2480 /* DVD Drive */ added controller information wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMPSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. ==== PHILLIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI GDR-8050L ==== The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 73197916667b4d05085071031ed374a4ece9a521 6768 6759 2019-08-14T13:26:25Z DarkGabbz 2486 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. ==== PHILLIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI GDR-8050L ==== The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 7a036dc683c50d7c912a2d5ccc457e2910727405 6774 6768 2019-09-28T00:52:46Z Redherring32 2513 /* History of Xbox 1.5 */ wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate PCB ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. ==== PHILLIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI GDR-8050L ==== The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 2751900184a9060cccdd8394634ca6d6b777951c 6783 6774 2019-10-04T12:28:50Z Teufelchen 2518 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. ==== PHILLIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI GDR-8050L ==== The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. ===Hitachi-LG GDR-8050L === This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. on 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] aff63e93eb4826ecdc6dd4bdf6aa06560c2d19b7 0 3824 6757 6712 2019-07-30T21:17:50Z DarkGabbz 2486 Date fix wikitext text/x-wiki Here a list of patents that might be related to the original Xbox: * Filed 1997-11-25 by Nvidia: https://www.google.com/patents/US6697063 "Rendering pipeline" * Filed 1998-12-23 by Microsoft: https://www.google.com/patents/US6417858 "Processor for geometry transformations and lighting calculations" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6198488 "Transform, lighting and rasterization system embodied on a single semiconductor platform" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6573900 "Method, apparatus and article of manufacture for a sequencer in a transform/lighting module capable of processing multiple independent execution threads" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6765575 "Clip-less rasterization using line equation-based traversal" * Filed 1999-12-06 by Nvidia: https://www.google.com/patents/US6650325 "Method, apparatus and article of manufacture for boustrophedonic rasterization" * Filed 2000-12-05 by Nvidia: https://www.google.com/patents/US6690372 "System, method and article of manufacture for shadow mapping" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452282 "Portion of an electronic housing" * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD452534 "Portion of an electronic housing" (not a dupe, its the top X shape in detail) * Filed 2001-01-11 by Microsoft: https://www.google.com/patents/USD451513 "Computer input device" (describes the original Xbox controller, a.k.a. : "the Duke") * Filed 2003-05-09 by Microsoft: https://www.google.com/patents/US8493326 "Controller with removably attachable text input device" (an early keypad, later revered to by the 360 keypad patent) * Filed 2003-05-09 by Micorsoft: https://www.google.com/patents/US7116311 "Embedded text input " (reffered to by the 360 chatpad) * Filed 2006-07-03 by Micorsoft: https://www.google.com/patents/US7804484 "Embedded text input " (probably a corrected version of US7116311, reffered to by the 360 chatpad, a picture of the "Baretta" chatpad, https://assemblergames.com/threads/xbox-chatpad-unreleased.54523/ * Filed 2001-06-19 by Nvidia: https://www.google.com/patents/US6870540 "System, method and computer program product for a programmable pixel processing model with instruction set" * Filed 2002-06-07 by Microsoft: https://www.google.com/patents/US6907522 "Use of hashing in a secure boot loader" (mentions "NV2A") * Filed 2003-08-21 by Friendtech: https://www.google.com/patents/US20050282621 "CPU upgrading adapter for a Microsoft XboxTM game machine" * Filed 2005-01-04 by Nvidia: https://www.google.com/patents/US7916149 "Block linear memory ordering of texture data" * Filed 2005-01-07 by Microsoft: https://www.google.com/patents/US7676840 "Use of hashing in a secure boot loader" (a continuation of patent US6907522) * Filed 2005-05-17 by Nvidia: https://www.google.com/patents/US7793029 "Translation device apparatus for configuring printed circuit board connectors " (describes coupling two PCI Express connectors, possibly for the secondary Chihiro board, mentions "Xbox") * Filed 2001-04-30 by Microsoft: https://www.google.com/patents/US20020160654 "Breakaway cable connector" (filed by Microsofts attorneys) * Filed 2004-22-02 by Microsoft: https://patents.google.com/patent/US7303476 "Method and apparatus for creating and playing soundtracks in a gaming system" * Filed 2002-05-16 by Microsoft: https://patents.google.com/patent/US6935959 "Use of multiple player real-time voice communications on a gaming device" * Filed 2001-03-09 by Microsoft: https://patents.google.com/patent/US7218739B2 "Multiple user authentication for online console-based gaming" * Filed 2005-03-09 by Microsoft: https://patents.google.com/patent/US7811174B2 "Method and apparatus for managing data in a gaming system" Possibly unrelated : * Filed 1989-12-29 by Dolby Laboratories: https://www.google.com/patents/US5109417 "Low bit rate transform coder, decoder, and encoder/decoder for high-quality audio" * Filed 2008-01-15 by Microsoft: https://www.google.com/patents/US8607324 "Untrusted gaming system access to online gaming service" (describes part of Xbox online) * Filed 2011-06-17 by Microsoft: https://www.google.com/patents/US8641525 "Controller for video game console" (one of the 51 patents comprising the Xbox One controller) * Filed 2011-09-07 by Microsoft: https://www.google.com/patents/US8597125 "System and method for configuring game data about players" * Filed 2012-01-13 by Microsoft: https://www.google.com/patents/US8602897 "Extended and editable gamer profile" * Filed 2007-12-07 by Microsoft: https://www.google.com/patents/US8487876 "Ergonomic hand-held text input device " (The xbox 360 chatpad, wich mentions the OG textpad US8493326 and US7116311 ;) ) b256603699fe69c5e11416d827f4eda5ee2ed85e 0 3909 6760 6610 2019-08-04T14:06:06Z Dreimer 2516 /* Pins */ wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | SERIRQ (v1.0) || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. On 1.6 hardware, pin 9 is disconnected. Reconnect to pin 15 to restore the supply voltage. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. On 1.3-1.5 hardware, disconnected. Can be reconnected though. ([[LFRAME# reconnect]]) * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. 04bd5439e9d7e2883976436f21f1e9731323b35e 6764 6760 2019-08-04T22:13:46Z Haxar 2485 Move LFRAME# reconnection page to its own section wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | SERIRQ (v1.0) || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. On 1.6 hardware, pin 9 is disconnected. Reconnect to pin 15 to restore the supply voltage. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. On 1.3-1.5 hardware, this pin is disconnected. See [[LPC_Debug_Port#LFRAME.23_reconnect|LFRAME# reconnect]] for a possible reconnection. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. == LFRAME# reconnect == It is possible to reconnect this pin on 1.3-1.5 hardware by tapping the MCPX soldermask and soldering a jumper wire to the disconnected pin on the LPC port. Result should look similar to this in the end: [https://photos.app.goo.gl/wUvAwm3KS3ePSnYj8] (Image provided by dreimer) In the end, we can gain kernel debug output from Super I/O serial again: [https://cdn.discordapp.com/attachments/603568167255801861/607540322871803904/unknown.png] (Image provided by dreimer) This reconnection was tested on 1.3 hardware, and should work on 1.4 and 1.5 revisions, as the MCPX is the same. == References == * [https://web.archive.org/web/20140805105234/http://dwl.xbox-scene.com/~xbox/xbox-scene/tutorials/LFRAME-for-v1_3-and-up.pdf LFRAME-for-v1_3-and-up.pdf] An old manual from Xbox-Scene that explains how to reconnect '''LFRAME#''' (3) for a Cheapmod. This we don't care about, but is what we want for [[Kernel_Debug|kernel debugging]] via [[Super_I/O|Super I/O]]. Thanks to dreimer for finding and testing this documentation. d5581b4bbea0e622c80c9121ca8e386d4e06e09a 0 3986 6761 2019-08-04T14:13:09Z Dreimer 2516 Created page with "A old manual from XBox-Scene still is available from https://www.archive.org/ which explains how to reconnect LFRAME# for Cheapmods. This we don't care about, but the rest is..." wikitext text/x-wiki A old manual from XBox-Scene still is available from https://www.archive.org/ which explains how to reconnect LFRAME# for Cheapmods. This we don't care about, but the rest is what we want: [https://web.archive.org/web/20140805105234/http://dwl.xbox-scene.com/~xbox/xbox-scene/tutorials/LFRAME-for-v1_3-and-up.pdf Manual] Result should look similar to this in the end: [https://photos.app.goo.gl/wUvAwm3KS3ePSnYj8] In the end, we can gain debug output from serial again: [https://cdn.discordapp.com/attachments/603568167255801861/607540322871803904/unknown.png] This was tested on a 1.3 board, but should be the same on 1.4 and 1.5 too as the MCPX is the same. 8c6be9ea0d2970961d816ccb456a0eed1e4246b1 6765 6761 2019-08-04T22:16:39Z Haxar 2485 Redirected page to [[LPC_Debug_Port]] wikitext text/x-wiki #REDIRECT [[LPC_Debug_Port#LFRAME.23_reconnect]] b1952274f75ee936ae28d8ceac7e97d4337e23fb 0 1 6762 6725 2019-08-04T20:55:06Z Haxar 2485 nit wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 276bec0f74a34f1e46ff8e38e299ea9c31af69d0 6763 6762 2019-08-04T21:05:00Z Haxar 2485 Added LPC bus under MCPX southbridge wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Xbox 360 Backward Compatibility]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] da522e59cd512189a831737d4b5c7455db95bcdd 0 11 6766 6723 2019-08-09T11:28:12Z Dracc 2502 Fix Steel Battalion Controller RightJoyFire button Mask according to https://github.com/Ryzee119/ogx360/blob/master/Firmware/ogx360_32u4/ogx360_32u4/steelbattalion.h wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === USB Descriptors === Most standard gamepads share the same USB descriptor. Usually the only difference will be the VID / PID. See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 2945fc7b5ed89421e8ade662a38ba4f3d5db57a1 0 3818 6770 6711 2019-08-30T02:23:26Z CrunchBite 2511 Added "real world power usage" section wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || PowOK |- | Pin 2 || PowON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Real world power usage == As measured on a v1.0 Xbox with a Fluke 376 clamp meter around the PSU to Motherboard connections. HDD not included in measurements and the DVD drive and controller rumble were not used. {| class="wikitable" ! || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 5.9A || 5.8A || 6.0A || 6.2A |- | 3.3v Standby || 0.2A || 0.3A || 0.3A || 0.3A || 0.3A |- | 3.3v || 0A || 2.5A || 2.2A || 2.7A || 2.7A |- | 5v || 0A || 7.1A || 7.2A || 7.0A || 7.2A |- | 12v || 0A || 0.3A || 0.4A || 0.4A || 0.4A |- |} TODO: Measure other hardware revisions and more usage scenarios. == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] cd008aad43e96e1906129b19667c3d5e52ce7ecc 6771 6770 2019-09-01T17:35:51Z CrunchBite 2511 /* Real world power usage */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || PowOK |- | Pin 2 || PowON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Real world power usage == DC amperage as measured on a v1.0 Xbox with a Fluke 376 clamp meter around the PSU to Motherboard connections. HDD not included in measurements and the DVD drive and controller rumble were not used. AC wattage measured at 120v 60Hz using a 'KILL A WATT' meter. {| class="wikitable" ! || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 5.9A || 5.8A || 6.0A || 6.2A |- | 3.3v Standby || 0.2A || 0.3A || 0.3A || 0.3A || 0.3A |- | 3.3v || 0A || 2.5A || 2.2A || 2.7A || 2.7A |- | 5v || 0A || 7.1A || 7.2A || 7.0A || 7.2A |- | 12v || 0A || 0.3A || 0.4A || 0.4A || 0.4A |- | ~120VAC || 2.1W || 67.4W || 65.3W || 68.5W || 68.5W |- |} TODO: Measure other hardware revisions and more usage scenarios. == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] d3880a15f67856f4cc387f3ef948c08de3aafa36 6772 6771 2019-09-01T17:36:49Z CrunchBite 2511 /* Real world power usage */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || PowOK |- | Pin 2 || PowON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Real world power usage == DC amperage as measured on a v1.0 Xbox with a Fluke 376 clamp meter around the PSU to Motherboard connections. HDD not included in measurements and the DVD drive and controller rumble were not used. AC wattage measured at 120v 60Hz using a 'KILL A WATT' meter includes all system components but DVD drive and controller rumble were not used. {| class="wikitable" ! || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 5.9A || 5.8A || 6.0A || 6.2A |- | 3.3v Standby || 0.2A || 0.3A || 0.3A || 0.3A || 0.3A |- | 3.3v || 0A || 2.5A || 2.2A || 2.7A || 2.7A |- | 5v || 0A || 7.1A || 7.2A || 7.0A || 7.2A |- | 12v || 0A || 0.3A || 0.4A || 0.4A || 0.4A |- | ~120VAC || 2.1W || 67.4W || 65.3W || 68.5W || 68.5W |- |} TODO: Measure other hardware revisions and more usage scenarios. == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] af65892dfe2efae2f6c9ac56d1015e37c4892ddf 6773 6772 2019-09-20T00:51:54Z CrunchBite 2511 Added xbox 1.3 power usage measurements wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || PowOK |- | Pin 2 || PowON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Real world power usage == DC amperage as measured on with a Fluke 376 clamp meter around the PSU to Motherboard connections. HDD not included in measurements and the DVD drive and controller rumble were not used. AC wattage measured at 120v 60Hz using a 'KILL A WATT' meter includes all system components but DVD drive and controller rumble were not used. {| class="wikitable" ! XBOX V1.0 || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 5.9A || 5.8A || 6.0A || 6.2A |- | 3.3v Standby || 0.2A || 0.3A || 0.3A || 0.3A || 0.3A |- | 3.3v || 0A || 2.5A || 2.2A || 2.7A || 2.7A |- | 5v || 0A || 7.1A || 7.2A || 7.0A || 7.2A |- | 12v || 0A || 0.3A || 0.4A || 0.4A || 0.4A |- | ~120VAC || 2.1W || 67.4W || 65.3W || 68.5W || 68.5W |- |} {| class="wikitable" ! XBOX V1.3 || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 8.5A || 8.1A || 8.6A || 8.6A |- | 3.3v Standby || 0.4A || 0.5A || 0.5A || 0.5A || 0.5A |- | 3.3v || 0A || 3.7A || 2.9A || 3.7A || 3.7A |- | 5v || 0A || 6.4A || 6.7A || 6.5A || 6.7A |- | 12v || 0A || 0.2A || 0.3A || 0.2A || 0.3A |- | ~120VAC || 1.2W || 64.6W || 62.2W || 64.3W || 64.6W |- |} TODO: Measure other hardware revisions and more usage scenarios. == Related links == * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 8461fa76bef3858d3e1dc7a09504f31456aad188 6781 6773 2019-10-03T14:10:56Z Teufelchen 2518 /* Related links */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || PowOK |- | Pin 2 || PowON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Real world power usage == DC amperage as measured on with a Fluke 376 clamp meter around the PSU to Motherboard connections. HDD not included in measurements and the DVD drive and controller rumble were not used. AC wattage measured at 120v 60Hz using a 'KILL A WATT' meter includes all system components but DVD drive and controller rumble were not used. {| class="wikitable" ! XBOX V1.0 || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 5.9A || 5.8A || 6.0A || 6.2A |- | 3.3v Standby || 0.2A || 0.3A || 0.3A || 0.3A || 0.3A |- | 3.3v || 0A || 2.5A || 2.2A || 2.7A || 2.7A |- | 5v || 0A || 7.1A || 7.2A || 7.0A || 7.2A |- | 12v || 0A || 0.3A || 0.4A || 0.4A || 0.4A |- | ~120VAC || 2.1W || 67.4W || 65.3W || 68.5W || 68.5W |- |} {| class="wikitable" ! XBOX V1.3 || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 8.5A || 8.1A || 8.6A || 8.6A |- | 3.3v Standby || 0.4A || 0.5A || 0.5A || 0.5A || 0.5A |- | 3.3v || 0A || 3.7A || 2.9A || 3.7A || 3.7A |- | 5v || 0A || 6.4A || 6.7A || 6.5A || 6.7A |- | 12v || 0A || 0.2A || 0.3A || 0.2A || 0.3A |- | ~120VAC || 1.2W || 64.6W || 62.2W || 64.3W || 64.6W |- |} TODO: Measure other hardware revisions and more usage scenarios. == Related links == * [https://www.youtube.com/watch?v=LBoF1e5YDdQ Eevblog takes a look inside the replacement coord as well as the power supply itself] * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 9221dbc97d0d33ed51b6f4b6e4117c90486b17f9 6782 6781 2019-10-03T14:11:18Z Teufelchen 2518 /* Related links */ wikitext text/x-wiki It's either a Foxlink{{citation needed}} or Delta Electronics power supply for most xboxes. Some are rumored to be shipped with a Minebea brand and 1.6 xboxes are found with a "tuscany" made probably by Samsung. On a 1.0 xbox supply, there seems to be 2{{citation needed|reason=2 per region, or 2 overall? and, what about foxlink?}} types for the US 120V and EU 240V market. The standby voltage powers the [[SMC]] which handles turning on and off the system. The Xbox supply needs a voltage (3V3?) on it's power-on line to leave the standby mode. This results in the other voltages being supplied. === Delta Electronics === The marks are on the PCB with a check next to them: * Delta Electronics DPSN-96-AP-1 should be the EU 240V one{{citation needed}} * Delta Electronics DPSN-96-AP is the US 120V one There is a link J11 under CR1 (right side of the coil under it) that might make the difference between 120V and 240V. It also seems that the Bridge rectifier is bigger on the US models. This could make sense as it has to handle double the current. So, before experimenting with this it might be worth to check if the installed type can handle 2.3 amps. The rated output currents are also noted on the PCB {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.075A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} === Foxlink Technology LTD === {{FIXME|reason=I don't own any US xboxes to compare US foxlinks with}}On the lower heatsink, there is a sticker with the following markings and versions: * MODEL: FTPS-0001 REV:B {{citation needed}} (120V) * MODEL: FTPS-0002 REV:B (from a 2002 PAL (240V)) * MODEL: FTPS-0002 REV:H (from a 2003 PAL (240V)) * MODEL: FTPS-0002 REV:G {{citation needed}} (240V) * MODEL: FTPS-0007 REV:B {{citation needed}} (120V) (are these after the powercord recall?) * MODEL: FTPS-0007 REV:D {{citation needed}} (120V) (are these after the powercord recall?) The rated output currents are also noted on the sticker 96W Max output power {| class="wikitable" | Power Rail | Rated Current |- | 3.3V Standby | 0.045A |- | 3.3V | 4.8A |- | 5V | 13.2A |- | 12V | 1.2A |} ==== Powercord recall ==== Microsoft started an powercord recall, or more like a replacement program [https://web.archive.org/web/20050301093947/http://www.xbox.com:80/en-US/news/0502/powercordannouncement.htm xbox.com]for what appeared to be Foxlink powersupplies having a bad powerplug connector on the back of the console and where installed in 1.0 and 1.1 Xboxes.{{citation needed}}. Microsoft tried to resolve this by offering free replacement powercords and advising to trow out the old ones. [https://web.archive.org/web/20120722175134/http://www.xbox-scene.com/xbox1data/sep/EEpAEAylAluZlwSlOJ.php More to the power cord replacement than meets the eye?]{{FIXME|reason=why is this link here and where could / should it be instead? I think it's misplaced here}}. From the Microsoft powercord replacement FAQ: : '''Does my console require a replacement cord?''' : If it was manufactured before October 23, 2003, your console requires a replacement cord (except for consoles purchased in Continental Europe, where consoles manufactured prior to January 13, 2004 require a replacement cord). Consoles manufactured after October 23, 2003 (after January 13, 2004 for consoles purchased in Continental Europe) do not require replacement cords because design improvements to the cord and console already protect against the problems that are addressed by the replacement cords.[https://web.archive.org/web/20050223041403/http://replacements.webprogram.com:80/en-us/faqs.asp#Q-7] The old page describing how to order has been archived here: [https://web.archive.org/web/20050223060900/http://replacements.webprogram.com:80/en-us/programoverview.asp] One would either receive a thicker but very similar powercord or an actual [https://simple.wikipedia.org/wiki/GFCI GFI] (Ground Fault Circuit Interrupter). a online form would then be used to determine which type of cable you receive by means of serial number. {{FIXME|reason=I cant seem to find a source for these details yet, but I personally requested 2, 1 for my own Xbox (a 1.4, with a confirmed Delta. never replaced it.) and received a normal cable (EU). A friends xbox was older, 1.1/1.2?) and we got a european fusebox brick for his. looks like the UK one, but with the Benelux plug. It was all for free in Europe I remember the part number on my normal cable to be different (higher) for the newer one... ill check if I have it in the original box still}} ===== AFCI ===== A video of whats inside an european (UK) "AFCI" [https://www.youtube.com/watch?v=C0wQikAO-yA] An european AFCI ordered from MS for free had the following on the bottom label. {| class="wikitable" | Part number | X800925-100 |- | | 200-240V~,50/60HZ, 610mA |- | MFG Code | DN0855 |} The cable that is wired to the AFCI has the following markings: {| class="wikitable" ! top ! bottom |- | JI-HAW | JHT-031 |} ===== Old and New cords ===== The replacement cable has the following markings:{{citation needed}} {| class="wikitable" ! top ! bottom |- | JHT-031 | {{citation needed}} |} The older cable that needed replacement was: {| class="wikitable" ! top ! bottom |- | NITTO SS | W41-27854 |- | JHT-013 | N15905 |- | JI-HAW | |- | E147422 | |} Presumably this one doesn't come with tighter tolerances. === Samsung "TUSCANY"=== Found in 1.6 xboxes and seems to be made by Samsung (or atleast the main transformer is, which also has the detail label on it) {{FIXME|reason=There are TUSCANY powersuplies in some 1.6 xboxes?}} * PSCD101301A === Minebea === {{FIXME|reason=There are in the UK, Minebea powersuplies in some xboxes?}} * MS001A096EMJ {| !Minebea Electronics UK LTD !(circuit board) |- |DWG No. |1 R26PA-SE300393 REV: E |- |PART No. |1 1612100002 |- | |0234-3 |- !Sticker: | |- |NMB Technologies Corp |Power Supply Division |- |Made in |Thailand |- |Model: |MS001A096EMJ |- |REV: |08 |- |AC INPUT:100-120V |2A 47-63Hz |} == Connector pinout == === Xbox 1.0 and 1.1 === The power supply connector for 1.0 and 1.1 is a single column of pins described by the following chart. Pin 1 is the connector pin closest to the back of the Xbox. {| class="wikitable" ! Pin || Usage |- | Pin 1 || PowOK |- | Pin 2 || PowON |- | Pin 3 || GND |- | Pin 4 || GND |- | Pin 5 || GND |- | Pin 6 || GND |- | Pin 7 || +3.3V Standby |- | Pin 8 || +3.3V |- | Pin 9 || +5V |- | Pin 10 || +5V |- | Pin 11 || +5V |- | Pin 12 || +12V |} === Xbox 1.2, 1.3, 1.4, and 1.5 === The power supply connector for the 1.2, 1.3, 1.4, and 1.5 xboxes is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK || Pin 1 || PowON |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || +3.3V |- | Pin 4 || +3.3V || Pin 4 || None |- | Pin 5 || None || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +3.3V Standby |- | Pin 7 || None || Pin 7 || GND |- | Pin 8 || +5V || Pin 8 || +5V |- | Pin 9 || +5V || Pin 9 || None |- | Pin 10 || +5V || Pin 10 || +12V |} === Xbox 1.6 === The connector for the 1.6 Xbox is two columns. Pin 1, Column 1 being the top left pin. Pin 1, Column 2 being the top right pin. The top being the side closest to the back of the Xbox. This is the same connector as a 1.2, 1.3, 1.4, and 1.5 xboxes, with a different pinout. {| class="wikitable" ! Pin Column 1 || Usage || Pin Column 2 || Usage |- | Pin 1 || PowOK (3.3V Standby) || Pin 1 || PowON (3.3V) |- | Pin 2 || GND || Pin 2 || GND |- | Pin 3 || None || Pin 3 || None |- | Pin 4 || None || Pin 4 || None |- | Pin 5 || GND || Pin 5 || GND |- | Pin 6 || GND || Pin 6 || +5V (0.12V Standby) |- | Pin 7 || GND || Pin 7 || GND |- | Pin 8 || +5V Standby || Pin 8 || +5V Standby |- | Pin 9 || +5V Standby || Pin 9 || GND |- | Pin 10 || +5V Standby || Pin 10 || +12V (0.532V Standby) |} == Real world power usage == DC amperage as measured on with a Fluke 376 clamp meter around the PSU to Motherboard connections. HDD not included in measurements and the DVD drive and controller rumble were not used. AC wattage measured at 120v 60Hz using a 'KILL A WATT' meter includes all system components but DVD drive and controller rumble were not used. {| class="wikitable" ! XBOX V1.0 || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 5.9A || 5.8A || 6.0A || 6.2A |- | 3.3v Standby || 0.2A || 0.3A || 0.3A || 0.3A || 0.3A |- | 3.3v || 0A || 2.5A || 2.2A || 2.7A || 2.7A |- | 5v || 0A || 7.1A || 7.2A || 7.0A || 7.2A |- | 12v || 0A || 0.3A || 0.4A || 0.4A || 0.4A |- | ~120VAC || 2.1W || 67.4W || 65.3W || 68.5W || 68.5W |- |} {| class="wikitable" ! XBOX V1.3 || Power off || Unleash X || Halo 2 Menu || DolphinClassic || Maximum Observed |- | GND || 0A || 8.5A || 8.1A || 8.6A || 8.6A |- | 3.3v Standby || 0.4A || 0.5A || 0.5A || 0.5A || 0.5A |- | 3.3v || 0A || 3.7A || 2.9A || 3.7A || 3.7A |- | 5v || 0A || 6.4A || 6.7A || 6.5A || 6.7A |- | 12v || 0A || 0.2A || 0.3A || 0.2A || 0.3A |- | ~120VAC || 1.2W || 64.6W || 62.2W || 64.3W || 64.6W |- |} TODO: Measure other hardware revisions and more usage scenarios. == Related links == * [https://www.youtube.com/watch?v=LBoF1e5YDdQ EEVblog takes a look inside the replacement coord as well as the power supply itself] * [http://brandonw.net/consoles/xbox/ Describes how to turn an ATX Power-Supply to Xbox PSU] * [https://web.archive.org/web/20060421203325/https://msmvps.com/blogs/matthewsoft/archive/2005/02/17/36238.aspx Powercord recall blog with exacter cable numbers] 0643078b8a02014738fdd64ad463e8a9f1a2d6f0 6 3987 6775 2019-10-03T08:28:50Z Teufelchen 2518 The frontside of the USB Daughterboard from Rev 1.0 XBOX wikitext text/x-wiki The frontside of the USB Daughterboard from Rev 1.0 XBOX dc8bc54e1feb5214d8845f7fc25b117504fa44fd 6 3988 6776 2019-10-03T08:31:34Z Teufelchen 2518 The backside of the USB Daughterboard of the Rev. 1.0 XBOX wikitext text/x-wiki The backside of the USB Daughterboard of the Rev. 1.0 XBOX b5a4c31f8f2c107fcbce328ad9b28e7ed733b4b2 6 3989 6777 2019-10-03T08:34:46Z Teufelchen 2518 The USB Daughterboard of the Rev. 1.0 XBOX from the side wikitext text/x-wiki The USB Daughterboard of the Rev. 1.0 XBOX from the side 700b03eff731f907159f611567fe49c8c4ffe8bd 6 3990 6780 2019-10-03T09:27:48Z Teufelchen 2518 Close-up of the ic on the usb daughterboard wikitext text/x-wiki Close-up of the ic on the usb daughterboard 785ecc5ba800ff7c80e1eac082626904cfcf4eb3 0 3700 6784 6648 2019-10-06T20:23:18Z Wayo 2479 /* USB Adapters */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA | |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 972c6a8a54b442e5642aac262068b9d645129e18 0 8 6785 6735 2019-10-07T13:10:32Z JayFoxRox 2 Documenting register-combiner differences between NV2A and GL wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the ZERO and DISCARD register are the same index: writes are discard / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] adb4c7070f28606ea7d0ef6615cb2005fd1e78a8 6787 6785 2019-10-07T13:23:00Z JayFoxRox 2 Swap register names to make it consistent + fix typo wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] 8d4e7ebb0b00e53f69e9c45ab9d0473d6978daf6 6788 6787 2019-10-07T13:34:32Z JayFoxRox 2 PS_TEXTUREMODES_DOT_ZW is DOT_PRODUCT_DEPTH_REPLACE_NV wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth |DOT_PRODUCT_DEPTH_REPLACE_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] 50422bb936ef050d8d7e752ad1522f13780ddbac 1 3760 6786 5490 2019-10-07T13:20:55Z JayFoxRox 2 Response about nvidia names wikitext text/x-wiki == Move data from cxbx == https://github.com/Echelon9/cxbx-shogun/blob/master/src/CxbxKrnl/EmuD3D8/PixelShader.cpp#L467 uses the nvidia names Those are MS names, not nvidia; I believe most of them are already in the article. I actually want to remove them in the future to focus on the GL spec (which is much closer to hw + explicit). --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 06:20, 7 October 2019 (PDT) 28e72256dcb8c019085e77e644fbb30b7c6010ea 6789 6786 2019-10-07T13:39:23Z JayFoxRox 2 I was wrong, MS and nvidia names are really close. wikitext text/x-wiki == Move data from cxbx == https://github.com/Echelon9/cxbx-shogun/blob/master/src/CxbxKrnl/EmuD3D8/PixelShader.cpp#L467 uses the nvidia names Those are MS names, not nvidia (edit: although they are very similar); I believe most of them are already in the article. <del>I actually want to remove them in the future to focus on the GL spec (which is much closer to hw + explicit).</del> (edit: GL is a bit more limited actually). --[[User:JayFoxRox|JayFoxRox]] ([[User talk:JayFoxRox|talk]]) 06:20, 7 October 2019 (PDT) abe11298ec4a3b1ad2e6efdfee15045ec001cb96 2 3948 6790 6598 2019-10-21T00:08:04Z JayFoxRox 2 Add file which can be used to debug savegame localization wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == TitleMeta.xbx locales == Put this into a file and move it to "E:/UDATA/13371337/TitleMeta.xbx" and check which languages your MS dashboard supports (my results are from 1.00.5960.01 from Germany in NTSC mode): <pre> TitleName=#Known locale - (fallback, same as [default]) [ZW] TitleName=#Unknown locale [zw] [ZA] TitleName=#Unknown locale [za] [YE] TitleName=#Unknown locale [ye] [VN] TitleName=#Unknown locale [vn] [VE] TitleName=#Unknown locale [ve] [UZ] TitleName=#Unknown locale [uz] [UY] TitleName=#Unknown locale [uy] [US] TitleName=#Unknown locale [us] [UA] TitleName=#Unknown locale [ua] [TW] TitleName=#Unknown locale [tw] [TT] TitleName=#Unknown locale [tt] [TR] TitleName=#Unknown locale [tr] [TN] TitleName=#Unknown locale [tn] [TH] TitleName=#Unknown locale [th] [SY] TitleName=#Unknown locale [sy] [SV] TitleName=#Unknown locale [sv] [SK] TitleName=#Unknown locale [sk] [SI] TitleName=#Unknown locale [si] [SG] TitleName=#Unknown locale [sg] [SE] TitleName=#Unknown locale [se] [SA] TitleName=#Unknown locale [sa] [RU] TitleName=#Unknown locale [ru] [RO] TitleName=#Unknown locale [ro] [QA] TitleName=#Unknown locale [qa] [PY] TitleName=#Unknown locale [py] [PT] TitleName=#Unknown locale [pt] [PR] TitleName=#Unknown locale [pr] [PL] TitleName=#Unknown locale [pl] [PK] TitleName=#Unknown locale [pk] [PH] TitleName=#Unknown locale [ph] [PE] TitleName=#Unknown locale [pe] [PA] TitleName=#Unknown locale [pa] [OM] TitleName=#Unknown locale [om] [NZ] TitleName=#Unknown locale [nz] [NO] TitleName=#Unknown locale [no] [NL] TitleName=#Unknown locale [nl] [NI] TitleName=#Unknown locale [ni] [MY] TitleName=#Unknown locale [my] [MX] TitleName=#Unknown locale [mx] [MV] TitleName=#Unknown locale [mv] [MO] TitleName=#Unknown locale [mo] [MN] TitleName=#Unknown locale [mn] [MK] TitleName=#Unknown locale [mk] [MC] TitleName=#Unknown locale [mc] [MA] TitleName=#Unknown locale [ma] [LY] TitleName=#Unknown locale [ly] [LV] TitleName=#Unknown locale [lv] [LU] TitleName=#Unknown locale [lu] [LT] TitleName=#Unknown locale [lt] [LI] TitleName=#Unknown locale [li] [LB] TitleName=#Unknown locale [lb] [KZ] TitleName=#Unknown locale [kz] [KW] TitleName=#Unknown locale [kw] [KR] TitleName=#Unknown locale [kr] [KG] TitleName=#Unknown locale [kg] [KE] TitleName=#Unknown locale [ke] [JP] TitleName=#Unknown locale [jp] [JO] TitleName=#Unknown locale [jo] [JM] TitleName=#Unknown locale [jm] [IT] TitleName=#Unknown locale [it] [IS] TitleName=#Unknown locale [is] [IR] TitleName=#Unknown locale [ir] [IQ] TitleName=#Unknown locale [iq] [IN] TitleName=#Unknown locale [in] [IL] TitleName=#Unknown locale [il] [IE] TitleName=#Unknown locale [ie] [ID] TitleName=#Unknown locale [id] [HU] TitleName=#Unknown locale [hu] [HR] TitleName=#Unknown locale [hr] [HN] TitleName=#Unknown locale [hn] [HK] TitleName=#Unknown locale [hk] [GT] TitleName=#Unknown locale [gt] [GR] TitleName=#Unknown locale [gr] [GE] TitleName=#Unknown locale [ge] [GB] TitleName=#Unknown locale [gb] [FR] TitleName=#Unknown locale [fr] [FO] TitleName=#Unknown locale [fo] [FI] TitleName=#Unknown locale [fi] [ES] TitleName=#Unknown locale [es] [EG] TitleName=#Unknown locale [eg] [EE] TitleName=#Unknown locale [ee] [EC] TitleName=#Unknown locale [ec] [DZ] TitleName=#Unknown locale [dz] [DO] TitleName=#Unknown locale [do] [DK] TitleName=#Unknown locale [dk] [DE] TitleName=#Unknown locale [de] [CZ] TitleName=#Unknown locale [cz] [CR] TitleName=#Unknown locale [cr] [CO] TitleName=#Unknown locale [co] [CN] TitleName=#Unknown locale [cn] [CL] TitleName=#Unknown locale [cl] [CH] TitleName=#Unknown locale [ch] [CA] TitleName=#Unknown locale [ca] [BZ] TitleName=#Unknown locale [bz] [BY] TitleName=#Unknown locale [by] [BR] TitleName=#Unknown locale [br] [BO] TitleName=#Unknown locale [bo] [BN] TitleName=#Unknown locale [bn] [BH] TitleName=#Unknown locale [bh] [BG] TitleName=#Unknown locale [bg] [BE] TitleName=#Unknown locale [be] [AZ] TitleName=#Unknown locale [az] [AU] TitleName=#Unknown locale [au] [AT] TitleName=#Unknown locale [at] [AR] TitleName=#Unknown locale [ar] [AM] TitleName=#Unknown locale [am] [AL] TitleName=#Unknown locale [al] [AE] TitleName=#Unknown locale [ae] [default] TitleName=#Known locale [default] - (fallback) [EN] TitleName=#Known locale [EN] - english [JA] TitleName=#Known locale [JA] - (japanese) [DE] TitleName=#Known locale [DE] - deutsch [FR] TitleName=#Known locale [FR] - francais [ES] TitleName=#Known locale [ES] - espanol [IT] TitleName=#Known locale [IT] - italiano [KO] TitleName=#Known locale [KO] - (korean) [TW] TitleName=#Known locale [TW] - (taiwanese) [BR] TitleName=#Known locale [BR] - (portugues) </pre> == THPS2X Syslink crash == Happens if too many servers are present (this is where data is written to driver?): <pre> Hardware watchpoint 1: *(int*)0xD004D048 Old value = 1065353216 New value = 1500647462 0x00215adf in ?? () (gdb) pint $eip Undefined command: "pint". Try "help". (gdb) print $eip $1 = (void (*)()) 0x215adf </pre> And this seems to copy server to database (this in particular copied string?): <pre> Hardware watchpoint 1: *(int*)0xf47944 Old value = 926102321 New value = 858992984 0x00156cc3 in ?? () (gdb) print $eip $2 = (void (*)()) 0x156cc3 (gdb) info reg eax 0xd0043260 -805031328 ecx 0x1d 29 edx 0x0 0 ebx 0xf20ce0 15863008 esp 0xd004324c 0xd004324c ebp 0xf20ce0 0xf20ce0 esi 0xd00432a0 -805031264 edi 0xf47948 16021832 eip 0x156cc3 0x156cc3 eflags 0x246 [ PF ZF IF ] cs 0x8 8 ss 0x10 16 ds 0x10 16 es 0x10 16 fs 0x20 32 gs 0x0 0 (gdb) x/10i $eip => 0x156cc3: rep movsl %ds:(%esi),%es:(%edi) 0x156cc5: call 0x1b9db6 0x156cca: mov 0x29b44(%ebx),%ecx 0x156cd0: mov 0x10(%esp),%edx 0x156cd4: imul $0x78,%ecx,%ecx 0x156cd7: mov %edx,0x26ca8(%ecx,%ebx,1) 0x156cde: mov 0x14(%esp),%eax 0x156ce2: mov %eax,0x26cac(%ecx,%ebx,1) 0x156ce9: mov 0x29b44(%ebx),%eax 0x156cef: mov (%ebx),%edx </pre> == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- f850038888961bdb1c3074614b13a0749dce4222 6791 6790 2019-10-21T00:08:57Z JayFoxRox 2 wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == TitleMeta.xbx locales == Put this into a file and move it to "E:/UDATA/13371337/TitleMeta.xbx" and check which languages your MS dashboard supports (my results are from 1.00.5960.01 from Germany in NTSC mode): <pre> TitleName=#Known locale - (fallback, same as [default]) [ZW] TitleName=#Unknown locale [zw] [ZA] TitleName=#Unknown locale [za] [YE] TitleName=#Unknown locale [ye] [VN] TitleName=#Unknown locale [vn] [VE] TitleName=#Unknown locale [ve] [UZ] TitleName=#Unknown locale [uz] [UY] TitleName=#Unknown locale [uy] [US] TitleName=#Unknown locale [us] [UA] TitleName=#Unknown locale [ua] [TW] TitleName=#Unknown locale [tw] [TT] TitleName=#Unknown locale [tt] [TR] TitleName=#Unknown locale [tr] [TN] TitleName=#Unknown locale [tn] [TH] TitleName=#Unknown locale [th] [SY] TitleName=#Unknown locale [sy] [SV] TitleName=#Unknown locale [sv] [SK] TitleName=#Unknown locale [sk] [SI] TitleName=#Unknown locale [si] [SG] TitleName=#Unknown locale [sg] [SE] TitleName=#Unknown locale [se] [SA] TitleName=#Unknown locale [sa] [RU] TitleName=#Unknown locale [ru] [RO] TitleName=#Unknown locale [ro] [QA] TitleName=#Unknown locale [qa] [PY] TitleName=#Unknown locale [py] [PT] TitleName=#Unknown locale [pt] [PR] TitleName=#Unknown locale [pr] [PL] TitleName=#Unknown locale [pl] [PK] TitleName=#Unknown locale [pk] [PH] TitleName=#Unknown locale [ph] [PE] TitleName=#Unknown locale [pe] [PA] TitleName=#Unknown locale [pa] [OM] TitleName=#Unknown locale [om] [NZ] TitleName=#Unknown locale [nz] [NO] TitleName=#Unknown locale [no] [NL] TitleName=#Unknown locale [nl] [NI] TitleName=#Unknown locale [ni] [MY] TitleName=#Unknown locale [my] [MX] TitleName=#Unknown locale [mx] [MV] TitleName=#Unknown locale [mv] [MO] TitleName=#Unknown locale [mo] [MN] TitleName=#Unknown locale [mn] [MK] TitleName=#Unknown locale [mk] [MC] TitleName=#Unknown locale [mc] [MA] TitleName=#Unknown locale [ma] [LY] TitleName=#Unknown locale [ly] [LV] TitleName=#Unknown locale [lv] [LU] TitleName=#Unknown locale [lu] [LT] TitleName=#Unknown locale [lt] [LI] TitleName=#Unknown locale [li] [LB] TitleName=#Unknown locale [lb] [KZ] TitleName=#Unknown locale [kz] [KW] TitleName=#Unknown locale [kw] [KR] TitleName=#Unknown locale [kr] [KG] TitleName=#Unknown locale [kg] [KE] TitleName=#Unknown locale [ke] [JP] TitleName=#Unknown locale [jp] [JO] TitleName=#Unknown locale [jo] [JM] TitleName=#Unknown locale [jm] [IT] TitleName=#Unknown locale [it] [IS] TitleName=#Unknown locale [is] [IR] TitleName=#Unknown locale [ir] [IQ] TitleName=#Unknown locale [iq] [IN] TitleName=#Unknown locale [in] [IL] TitleName=#Unknown locale [il] [IE] TitleName=#Unknown locale [ie] [ID] TitleName=#Unknown locale [id] [HU] TitleName=#Unknown locale [hu] [HR] TitleName=#Unknown locale [hr] [HN] TitleName=#Unknown locale [hn] [HK] TitleName=#Unknown locale [hk] [GT] TitleName=#Unknown locale [gt] [GR] TitleName=#Unknown locale [gr] [GE] TitleName=#Unknown locale [ge] [GB] TitleName=#Unknown locale [gb] [FR] TitleName=#Unknown locale [fr] [FO] TitleName=#Unknown locale [fo] [FI] TitleName=#Unknown locale [fi] [ES] TitleName=#Unknown locale [es] [EG] TitleName=#Unknown locale [eg] [EE] TitleName=#Unknown locale [ee] [EC] TitleName=#Unknown locale [ec] [DZ] TitleName=#Unknown locale [dz] [DO] TitleName=#Unknown locale [do] [DK] TitleName=#Unknown locale [dk] [DE] TitleName=#Unknown locale [de] [CZ] TitleName=#Unknown locale [cz] [CR] TitleName=#Unknown locale [cr] [CO] TitleName=#Unknown locale [co] [CN] TitleName=#Unknown locale [cn] [CL] TitleName=#Unknown locale [cl] [CH] TitleName=#Unknown locale [ch] [CA] TitleName=#Unknown locale [ca] [BZ] TitleName=#Unknown locale [bz] [BY] TitleName=#Unknown locale [by] [BR] TitleName=#Unknown locale [br] [BO] TitleName=#Unknown locale [bo] [BN] TitleName=#Unknown locale [bn] [BH] TitleName=#Unknown locale [bh] [BG] TitleName=#Unknown locale [bg] [BE] TitleName=#Unknown locale [be] [AZ] TitleName=#Unknown locale [az] [AU] TitleName=#Unknown locale [au] [AT] TitleName=#Unknown locale [at] [AR] TitleName=#Unknown locale [ar] [AM] TitleName=#Unknown locale [am] [AL] TitleName=#Unknown locale [al] [AE] TitleName=#Unknown locale [ae] [default] TitleName=#Known locale [default] - (fallback) [EN] TitleName=#Known locale [EN] - english [JA] TitleName=#Known locale [JA] - (japanese) [DE] TitleName=#Known locale [DE] - deutsch [FR] TitleName=#Known locale [FR] - francais [ES] TitleName=#Known locale [ES] - espanol [IT] TitleName=#Known locale [IT] - italiano [KO] TitleName=#Known locale [KO] - (korean) [TW] TitleName=#Known locale [TW] - (taiwanese) [BR] TitleName=#Known locale [BR] - portugues </pre> == THPS2X Syslink crash == Happens if too many servers are present (this is where data is written to driver?): <pre> Hardware watchpoint 1: *(int*)0xD004D048 Old value = 1065353216 New value = 1500647462 0x00215adf in ?? () (gdb) pint $eip Undefined command: "pint". Try "help". (gdb) print $eip $1 = (void (*)()) 0x215adf </pre> And this seems to copy server to database (this in particular copied string?): <pre> Hardware watchpoint 1: *(int*)0xf47944 Old value = 926102321 New value = 858992984 0x00156cc3 in ?? () (gdb) print $eip $2 = (void (*)()) 0x156cc3 (gdb) info reg eax 0xd0043260 -805031328 ecx 0x1d 29 edx 0x0 0 ebx 0xf20ce0 15863008 esp 0xd004324c 0xd004324c ebp 0xf20ce0 0xf20ce0 esi 0xd00432a0 -805031264 edi 0xf47948 16021832 eip 0x156cc3 0x156cc3 eflags 0x246 [ PF ZF IF ] cs 0x8 8 ss 0x10 16 ds 0x10 16 es 0x10 16 fs 0x20 32 gs 0x0 0 (gdb) x/10i $eip => 0x156cc3: rep movsl %ds:(%esi),%es:(%edi) 0x156cc5: call 0x1b9db6 0x156cca: mov 0x29b44(%ebx),%ecx 0x156cd0: mov 0x10(%esp),%edx 0x156cd4: imul $0x78,%ecx,%ecx 0x156cd7: mov %edx,0x26ca8(%ecx,%ebx,1) 0x156cde: mov 0x14(%esp),%eax 0x156ce2: mov %eax,0x26cac(%ecx,%ebx,1) 0x156ce9: mov 0x29b44(%ebx),%eax 0x156cef: mov (%ebx),%edx </pre> == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- 7df753feec12f39e446bf9aaf5f82fd3f18460dd 6792 6791 2019-10-21T00:12:22Z JayFoxRox 2 Add more info about locales wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == TitleMeta.xbx locales == Put this into a file and move it to "E:/UDATA/13371337/TitleMeta.xbx" and check which languages your MS dashboard supports. I have dumped the locales from a list in xboxdash.xbe in dashboard version 1.00.5960.01 from Germany. I've then tried all languages that my Xbox dashboard supported in NTSC mode. <pre> TitleName=#Known locale - (fallback, same as [default]) [ZW] TitleName=#Unknown locale [zw] [ZA] TitleName=#Unknown locale [za] [YE] TitleName=#Unknown locale [ye] [VN] TitleName=#Unknown locale [vn] [VE] TitleName=#Unknown locale [ve] [UZ] TitleName=#Unknown locale [uz] [UY] TitleName=#Unknown locale [uy] [US] TitleName=#Unknown locale [us] [UA] TitleName=#Unknown locale [ua] [TW] TitleName=#Unknown locale [tw] [TT] TitleName=#Unknown locale [tt] [TR] TitleName=#Unknown locale [tr] [TN] TitleName=#Unknown locale [tn] [TH] TitleName=#Unknown locale [th] [SY] TitleName=#Unknown locale [sy] [SV] TitleName=#Unknown locale [sv] [SK] TitleName=#Unknown locale [sk] [SI] TitleName=#Unknown locale [si] [SG] TitleName=#Unknown locale [sg] [SE] TitleName=#Unknown locale [se] [SA] TitleName=#Unknown locale [sa] [RU] TitleName=#Unknown locale [ru] [RO] TitleName=#Unknown locale [ro] [QA] TitleName=#Unknown locale [qa] [PY] TitleName=#Unknown locale [py] [PT] TitleName=#Unknown locale [pt] [PR] TitleName=#Unknown locale [pr] [PL] TitleName=#Unknown locale [pl] [PK] TitleName=#Unknown locale [pk] [PH] TitleName=#Unknown locale [ph] [PE] TitleName=#Unknown locale [pe] [PA] TitleName=#Unknown locale [pa] [OM] TitleName=#Unknown locale [om] [NZ] TitleName=#Unknown locale [nz] [NO] TitleName=#Unknown locale [no] [NL] TitleName=#Unknown locale [nl] [NI] TitleName=#Unknown locale [ni] [MY] TitleName=#Unknown locale [my] [MX] TitleName=#Unknown locale [mx] [MV] TitleName=#Unknown locale [mv] [MO] TitleName=#Unknown locale [mo] [MN] TitleName=#Unknown locale [mn] [MK] TitleName=#Unknown locale [mk] [MC] TitleName=#Unknown locale [mc] [MA] TitleName=#Unknown locale [ma] [LY] TitleName=#Unknown locale [ly] [LV] TitleName=#Unknown locale [lv] [LU] TitleName=#Unknown locale [lu] [LT] TitleName=#Unknown locale [lt] [LI] TitleName=#Unknown locale [li] [LB] TitleName=#Unknown locale [lb] [KZ] TitleName=#Unknown locale [kz] [KW] TitleName=#Unknown locale [kw] [KR] TitleName=#Unknown locale [kr] [KG] TitleName=#Unknown locale [kg] [KE] TitleName=#Unknown locale [ke] [JP] TitleName=#Unknown locale [jp] [JO] TitleName=#Unknown locale [jo] [JM] TitleName=#Unknown locale [jm] [IT] TitleName=#Unknown locale [it] [IS] TitleName=#Unknown locale [is] [IR] TitleName=#Unknown locale [ir] [IQ] TitleName=#Unknown locale [iq] [IN] TitleName=#Unknown locale [in] [IL] TitleName=#Unknown locale [il] [IE] TitleName=#Unknown locale [ie] [ID] TitleName=#Unknown locale [id] [HU] TitleName=#Unknown locale [hu] [HR] TitleName=#Unknown locale [hr] [HN] TitleName=#Unknown locale [hn] [HK] TitleName=#Unknown locale [hk] [GT] TitleName=#Unknown locale [gt] [GR] TitleName=#Unknown locale [gr] [GE] TitleName=#Unknown locale [ge] [GB] TitleName=#Unknown locale [gb] [FR] TitleName=#Unknown locale [fr] [FO] TitleName=#Unknown locale [fo] [FI] TitleName=#Unknown locale [fi] [ES] TitleName=#Unknown locale [es] [EG] TitleName=#Unknown locale [eg] [EE] TitleName=#Unknown locale [ee] [EC] TitleName=#Unknown locale [ec] [DZ] TitleName=#Unknown locale [dz] [DO] TitleName=#Unknown locale [do] [DK] TitleName=#Unknown locale [dk] [DE] TitleName=#Unknown locale [de] [CZ] TitleName=#Unknown locale [cz] [CR] TitleName=#Unknown locale [cr] [CO] TitleName=#Unknown locale [co] [CN] TitleName=#Unknown locale [cn] [CL] TitleName=#Unknown locale [cl] [CH] TitleName=#Unknown locale [ch] [CA] TitleName=#Unknown locale [ca] [BZ] TitleName=#Unknown locale [bz] [BY] TitleName=#Unknown locale [by] [BR] TitleName=#Unknown locale [br] [BO] TitleName=#Unknown locale [bo] [BN] TitleName=#Unknown locale [bn] [BH] TitleName=#Unknown locale [bh] [BG] TitleName=#Unknown locale [bg] [BE] TitleName=#Unknown locale [be] [AZ] TitleName=#Unknown locale [az] [AU] TitleName=#Unknown locale [au] [AT] TitleName=#Unknown locale [at] [AR] TitleName=#Unknown locale [ar] [AM] TitleName=#Unknown locale [am] [AL] TitleName=#Unknown locale [al] [AE] TitleName=#Unknown locale [ae] [default] TitleName=#Known locale [default] - (fallback) [EN] TitleName=#Known locale [EN] - english [JA] TitleName=#Known locale [JA] - (japanese) [DE] TitleName=#Known locale [DE] - deutsch [FR] TitleName=#Known locale [FR] - francais [ES] TitleName=#Known locale [ES] - espanol [IT] TitleName=#Known locale [IT] - italiano [KO] TitleName=#Known locale [KO] - (korean) [TW] TitleName=#Known locale [TW] - (taiwanese) [BR] TitleName=#Known locale [BR] - portugues </pre> == THPS2X Syslink crash == Happens if too many servers are present (this is where data is written to driver?): <pre> Hardware watchpoint 1: *(int*)0xD004D048 Old value = 1065353216 New value = 1500647462 0x00215adf in ?? () (gdb) pint $eip Undefined command: "pint". Try "help". (gdb) print $eip $1 = (void (*)()) 0x215adf </pre> And this seems to copy server to database (this in particular copied string?): <pre> Hardware watchpoint 1: *(int*)0xf47944 Old value = 926102321 New value = 858992984 0x00156cc3 in ?? () (gdb) print $eip $2 = (void (*)()) 0x156cc3 (gdb) info reg eax 0xd0043260 -805031328 ecx 0x1d 29 edx 0x0 0 ebx 0xf20ce0 15863008 esp 0xd004324c 0xd004324c ebp 0xf20ce0 0xf20ce0 esi 0xd00432a0 -805031264 edi 0xf47948 16021832 eip 0x156cc3 0x156cc3 eflags 0x246 [ PF ZF IF ] cs 0x8 8 ss 0x10 16 ds 0x10 16 es 0x10 16 fs 0x20 32 gs 0x0 0 (gdb) x/10i $eip => 0x156cc3: rep movsl %ds:(%esi),%es:(%edi) 0x156cc5: call 0x1b9db6 0x156cca: mov 0x29b44(%ebx),%ecx 0x156cd0: mov 0x10(%esp),%edx 0x156cd4: imul $0x78,%ecx,%ecx 0x156cd7: mov %edx,0x26ca8(%ecx,%ebx,1) 0x156cde: mov 0x14(%esp),%eax 0x156ce2: mov %eax,0x26cac(%ecx,%ebx,1) 0x156ce9: mov 0x29b44(%ebx),%eax 0x156cef: mov (%ebx),%edx </pre> == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- c1738c6b67e146f7de6164276a1d0c7f817751e6 6794 6792 2019-10-24T15:53:11Z JayFoxRox 2 Add more savegame notes wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Savegame notes == There's no database or anything for savegames - the directory-listing APIs are used to enumerate all savegames. The data is obviously in E:/UDATA/. Each XBE has a subdirectory for it's title-id. Then each save is a subdirectory (I'm not sure about the name; but it's some 48-bit hex value). XAPI would normally initialize title-images before `main()` of the XBE. The data is copied from sections "$$XTIMAGE" (TitleImage.xbx) and "$XSIMAGE" (saveimage.xbx in savegame folder). I believe the saveimage can differ for different save-games, which implies that they probably have another API. I'm also not sure where it would put saveimages, because no savegame exists then. The images are [[XPR]], and could theoretically be any format supported by the GPU. The dashboard expects them to be swizzled (checks on load imply this), but linear textures might still work. Metadata is stored in TitleMeta.xbx and SaveMeta.xbx (in savegame folder). I'm not sure when / how they are initialized. I'm not sure if they are already shown in the dashboard, even if metadata is missing. Metadata are INI files, which are implicitly prefixed with `[default]`. I don't think there's any comments allowed. I believe that XAPI has a hardcoded emitter. Whereas the dashboard has some INI parser. I'm not sure about the parser in XAPI (or if it even has one). I believe metadata also supports keys without values. When reading, it will try to read a localized version first, before reading from the `[default]` section. I have looked at many savegames, but had never seen this. I'm not sure if this was ever used. I believe the metadata files can be ASCII or Unicode (using [Unicode BOM prefix](https://en.wikipedia.org/wiki/Byte_order_mark)) Titledata in E:/TDATA is similar. The user soundtrack / music collection is using a database file. See [[Soundtracks]]. === TitleMeta.xbx locales === Put this into a file and move it to "E:/UDATA/13371337/TitleMeta.xbx" and check which languages your MS dashboard supports. I have dumped the locales from a list in xboxdash.xbe in dashboard version 1.00.5960.01 from Germany. I've then tried all languages that my Xbox dashboard supported in NTSC mode. <pre> TitleName=#Known locale - (fallback, same as [default]) [ZW] TitleName=#Unknown locale [zw] [ZA] TitleName=#Unknown locale [za] [YE] TitleName=#Unknown locale [ye] [VN] TitleName=#Unknown locale [vn] [VE] TitleName=#Unknown locale [ve] [UZ] TitleName=#Unknown locale [uz] [UY] TitleName=#Unknown locale [uy] [US] TitleName=#Unknown locale [us] [UA] TitleName=#Unknown locale [ua] [TW] TitleName=#Unknown locale [tw] [TT] TitleName=#Unknown locale [tt] [TR] TitleName=#Unknown locale [tr] [TN] TitleName=#Unknown locale [tn] [TH] TitleName=#Unknown locale [th] [SY] TitleName=#Unknown locale [sy] [SV] TitleName=#Unknown locale [sv] [SK] TitleName=#Unknown locale [sk] [SI] TitleName=#Unknown locale [si] [SG] TitleName=#Unknown locale [sg] [SE] TitleName=#Unknown locale [se] [SA] TitleName=#Unknown locale [sa] [RU] TitleName=#Unknown locale [ru] [RO] TitleName=#Unknown locale [ro] [QA] TitleName=#Unknown locale [qa] [PY] TitleName=#Unknown locale [py] [PT] TitleName=#Unknown locale [pt] [PR] TitleName=#Unknown locale [pr] [PL] TitleName=#Unknown locale [pl] [PK] TitleName=#Unknown locale [pk] [PH] TitleName=#Unknown locale [ph] [PE] TitleName=#Unknown locale [pe] [PA] TitleName=#Unknown locale [pa] [OM] TitleName=#Unknown locale [om] [NZ] TitleName=#Unknown locale [nz] [NO] TitleName=#Unknown locale [no] [NL] TitleName=#Unknown locale [nl] [NI] TitleName=#Unknown locale [ni] [MY] TitleName=#Unknown locale [my] [MX] TitleName=#Unknown locale [mx] [MV] TitleName=#Unknown locale [mv] [MO] TitleName=#Unknown locale [mo] [MN] TitleName=#Unknown locale [mn] [MK] TitleName=#Unknown locale [mk] [MC] TitleName=#Unknown locale [mc] [MA] TitleName=#Unknown locale [ma] [LY] TitleName=#Unknown locale [ly] [LV] TitleName=#Unknown locale [lv] [LU] TitleName=#Unknown locale [lu] [LT] TitleName=#Unknown locale [lt] [LI] TitleName=#Unknown locale [li] [LB] TitleName=#Unknown locale [lb] [KZ] TitleName=#Unknown locale [kz] [KW] TitleName=#Unknown locale [kw] [KR] TitleName=#Unknown locale [kr] [KG] TitleName=#Unknown locale [kg] [KE] TitleName=#Unknown locale [ke] [JP] TitleName=#Unknown locale [jp] [JO] TitleName=#Unknown locale [jo] [JM] TitleName=#Unknown locale [jm] [IT] TitleName=#Unknown locale [it] [IS] TitleName=#Unknown locale [is] [IR] TitleName=#Unknown locale [ir] [IQ] TitleName=#Unknown locale [iq] [IN] TitleName=#Unknown locale [in] [IL] TitleName=#Unknown locale [il] [IE] TitleName=#Unknown locale [ie] [ID] TitleName=#Unknown locale [id] [HU] TitleName=#Unknown locale [hu] [HR] TitleName=#Unknown locale [hr] [HN] TitleName=#Unknown locale [hn] [HK] TitleName=#Unknown locale [hk] [GT] TitleName=#Unknown locale [gt] [GR] TitleName=#Unknown locale [gr] [GE] TitleName=#Unknown locale [ge] [GB] TitleName=#Unknown locale [gb] [FR] TitleName=#Unknown locale [fr] [FO] TitleName=#Unknown locale [fo] [FI] TitleName=#Unknown locale [fi] [ES] TitleName=#Unknown locale [es] [EG] TitleName=#Unknown locale [eg] [EE] TitleName=#Unknown locale [ee] [EC] TitleName=#Unknown locale [ec] [DZ] TitleName=#Unknown locale [dz] [DO] TitleName=#Unknown locale [do] [DK] TitleName=#Unknown locale [dk] [DE] TitleName=#Unknown locale [de] [CZ] TitleName=#Unknown locale [cz] [CR] TitleName=#Unknown locale [cr] [CO] TitleName=#Unknown locale [co] [CN] TitleName=#Unknown locale [cn] [CL] TitleName=#Unknown locale [cl] [CH] TitleName=#Unknown locale [ch] [CA] TitleName=#Unknown locale [ca] [BZ] TitleName=#Unknown locale [bz] [BY] TitleName=#Unknown locale [by] [BR] TitleName=#Unknown locale [br] [BO] TitleName=#Unknown locale [bo] [BN] TitleName=#Unknown locale [bn] [BH] TitleName=#Unknown locale [bh] [BG] TitleName=#Unknown locale [bg] [BE] TitleName=#Unknown locale [be] [AZ] TitleName=#Unknown locale [az] [AU] TitleName=#Unknown locale [au] [AT] TitleName=#Unknown locale [at] [AR] TitleName=#Unknown locale [ar] [AM] TitleName=#Unknown locale [am] [AL] TitleName=#Unknown locale [al] [AE] TitleName=#Unknown locale [ae] [default] TitleName=#Known locale [default] - (fallback) [EN] TitleName=#Known locale [EN] - english [JA] TitleName=#Known locale [JA] - (japanese) [DE] TitleName=#Known locale [DE] - deutsch [FR] TitleName=#Known locale [FR] - francais [ES] TitleName=#Known locale [ES] - espanol [IT] TitleName=#Known locale [IT] - italiano [KO] TitleName=#Known locale [KO] - (korean) [TW] TitleName=#Known locale [TW] - (taiwanese) [BR] TitleName=#Known locale [BR] - portugues </pre> == THPS2X Syslink crash == Happens if too many servers are present (this is where data is written to driver?): <pre> Hardware watchpoint 1: *(int*)0xD004D048 Old value = 1065353216 New value = 1500647462 0x00215adf in ?? () (gdb) pint $eip Undefined command: "pint". Try "help". (gdb) print $eip $1 = (void (*)()) 0x215adf </pre> And this seems to copy server to database (this in particular copied string?): <pre> Hardware watchpoint 1: *(int*)0xf47944 Old value = 926102321 New value = 858992984 0x00156cc3 in ?? () (gdb) print $eip $2 = (void (*)()) 0x156cc3 (gdb) info reg eax 0xd0043260 -805031328 ecx 0x1d 29 edx 0x0 0 ebx 0xf20ce0 15863008 esp 0xd004324c 0xd004324c ebp 0xf20ce0 0xf20ce0 esi 0xd00432a0 -805031264 edi 0xf47948 16021832 eip 0x156cc3 0x156cc3 eflags 0x246 [ PF ZF IF ] cs 0x8 8 ss 0x10 16 ds 0x10 16 es 0x10 16 fs 0x20 32 gs 0x0 0 (gdb) x/10i $eip => 0x156cc3: rep movsl %ds:(%esi),%es:(%edi) 0x156cc5: call 0x1b9db6 0x156cca: mov 0x29b44(%ebx),%ecx 0x156cd0: mov 0x10(%esp),%edx 0x156cd4: imul $0x78,%ecx,%ecx 0x156cd7: mov %edx,0x26ca8(%ecx,%ebx,1) 0x156cde: mov 0x14(%esp),%eax 0x156ce2: mov %eax,0x26cac(%ecx,%ebx,1) 0x156ce9: mov 0x29b44(%ebx),%eax 0x156cef: mov (%ebx),%edx </pre> == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- 25d1d8cec3c26c0e3edc17e2dea7ecce4f4ce627 0 3695 6793 6449 2019-10-23T16:38:13Z JayFoxRox 2 Remove full compatiblity list and clarify the state of the existing list wikitext text/x-wiki xqemu is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes[https://github.com/espes/xqemu/commit/d823f5802e7c4c84163aea8b4d924044951c705e]. The official homepage can be found at [http://xqemu.com xqemu.com] == Compatiblity list == There is a temporary compatibility list that was almost entirely created by [https://www.youtube.com/user/pcmaker2 pcmaker (also known as John Godgames)] since 2015. The [https://docs.google.com/spreadsheets/d/1sVtQ9SNPathKAMCqfYtvJQP0bs0UeLzP9otPHvZDMwE/edit#gid=709879345 newest compatibility list from 2018] still has some problems though. You should not blindly trust these reports. A major issue is that the version information for some reports is incorrect. This means that some games are reported as working, when they don't work in official versions (yet). They were tested with development versions build by developers, using incomplete features. Some of those features might also not be public anymore, so you can't even repeat those tests. XQEMU is also under development, new features in the official versions might have resolved some issues, or caused new ones. You should only use these compatibility reports to get a rough idea about the state of XQEMU and where development is heading. You can also search for XQEMU videos on YouTube (like "XQEMU Halo") and you'll usually find something. Note that many of those videos are also made using development builds that aren't always public. Typically, the video descriptions contain more information about the used builds. == XQEMU-JFR == XQEMU-JFR is a now defunct fork of XQEMU by JayFoxRox. Most of the changes have since been integrated back into the official version of XQEMU. The archived version can be found at https://github.com/JayFoxRox/xqemu-jfr 3de52cfac763a407f4d3c07a6e41992bf52c8691 0 3991 6795 2019-10-24T16:32:44Z JayFoxRox 2 Add some rough information about XPRs wikitext text/x-wiki '''XPR''' probably stands for '''Xbox Packed Resource'''. It's a structure and file-format used by the [[Microsoft XDK]]. It is being used in parts of [[XAPI]]. XPRs can store a variety of different data types that are useful for Xbox D3D. XPRs are storing data similar to internal structures in the D3D driver. So D3D has mechanisms to simply load such resources into D3D objects (by moving them into GPU accessible memory). The structure is something like this{{FIXME|Untested pseudo-code}}: <pre> struct { char magic[4]; // Always "XPR0" / 0x30525058 uint32_t size; // Size of XPR (including magic and this field) uint32_t header_size; // Size of the following header (always 2048?) } XPR; </pre> This is followed by: <pre> union { struct { union { uint32_t flags; // Type information and who "owns" this resource struct { uint32_t ref_count:16; // (lowest bits) uint32_t type:3; uint32_t unk3:13; // (highest bits) }; }; union { // Vertexbuffer (type 0x0) ... } vertexbuffer; union { // Indexbuffer (type 0x1) ... } indexbuffer; union { // Unknown (type 0x2) ... } ...; union { // Unknown (type 0x3) ... } ...; union { // Texture (type 0x4) uint32_t unk0; // Always 0? uint32_t unk1; // Always 0? uint32_t format; // GPU register uint32_t unk2; // Always 0? uint32_t end; // Always 0xFFFFFFFF } texture; union { // Unknown (type 0x5) ... } ...; union { // Unknown (type 0x6) ... } ...; union { // Unknown (type 0x7) ... } ...; }; uint8_t pad[2048]; // Padded with 0xAD bytes } XPR_header; </pre> {{FIXME|one of the unknowns in the texture is probably offset into data}} The headers are then followed by the resource data. ffd2253c90173a205f83dbc7f533130ebe1e7b46 6 3992 6796 2019-10-26T18:29:16Z Haxar 2485 Image extracted from LFRAME-for-v1_3-and-up.pdf wikitext text/x-wiki Image extracted from LFRAME-for-v1_3-and-up.pdf c3b8659c479fe3455c6abec502d632988a50ecc1 6 3993 6797 2019-10-26T18:33:31Z Haxar 2485 Image provided by dreimer wikitext text/x-wiki Image provided by dreimer cca8a249e0d069c8004563a061e54942c058b766 6 3994 6798 2019-10-26T18:34:18Z Haxar 2485 Image provided by dreimer wikitext text/x-wiki Image provided by dreimer cca8a249e0d069c8004563a061e54942c058b766 0 3909 6799 6764 2019-10-26T18:47:32Z Haxar 2485 Embed LFRAME# reconnection images from external links wikitext text/x-wiki {|class="wikitable" style="float:right;margin-left:10px;" |+ Pin Layout |- ! style="text-align:right" | Name !! style="text-align:right" | Pin !! Pin !! Name |- | style="text-align:right" | SERIRQ (v1.0) || style="text-align:right" | 16 || 15 || 3.3V |- | style="text-align:right" | SDA || style="text-align:right" | 14 || 13 || SCL |- | style="text-align:right" | GND || style="text-align:right" | 12 || 11 || LAD0 |- | style="text-align:right" | LAD1 || style="text-align:right" | 10 || 9 || 3.3V |- | style="text-align:right" | LAD2 || style="text-align:right" | 8 || 7 || LAD3 |- | style="text-align:right" | 5V || style="text-align:right" | 6 || 5 || LRESET# |- | style="text-align:right" | PWR (v1.6) || style="text-align:right" | 4 || 3 || LFRAME# |- | style="text-align:right" | GND || style="text-align:right" | 2 || 1 || LCLK |} The '''LPC Debug Port''' is an unpopulated 2x8 2.54mm (0.1") footprint on the Xbox motherboard that provides access to the system's [https://en.wikipedia.org/wiki/Low_Pin_Count Low Pin Count] Bus, as well as the [[SMBus]]. Throughout the Xbox's lifetime, Microsoft modified the LPC port in an attempt to prevent modding and, in some cases, it must be "rebuilt" to restore the port's full functionality. Rebuilding the LPC debug port involves soldering wires between it and very small vias on the motherboard. The LPC bus is controlled by the [[MCPX|MCPX southbridge]], which conforms to the Intel Low Pin Count Specification 1.0. == Pins == * '''3.3V''' (15 & 9) - Provides 3.3V while the Xbox is powered on. On 1.6 hardware, pin 9 is disconnected. Reconnect to pin 15 to restore the supply voltage. * '''SDA''' (14) - [[SMBus]] data and address signal. * '''SCL''' (13) - [[SMBus]] clock signal. * '''GND''' (12 & 2) - Ground. * '''LAD[3:0]''' (11, 10, 8, 7) - LPC address and data signals. * '''5V''' (6) - Provides 5V while the Xbox is powered on or v1.6 always on when AC plugged in. * '''LRESET#''' (5) - LPC reset signal; same as PCIRST#. * '''PWR''' (4) - On pre-1.6 hardware, this pin does not physically exist. On 1.6 hardware, this pin is connected to the power button. Shorting it to ground will turn the Xbox on and off. * '''LFRAME#''' (3) - LPC start-of-cycle signal. On 1.3-1.5 hardware, this pin is disconnected. See [[LPC_Debug_Port#LFRAME.23_reconnect|LFRAME# reconnect]] for a possible reconnection. * '''LCLK''' (1) - 33MHz LPC clock signal; same as PCICLK. The debug port lacks the optional LDRQ#, SERIRQ, CLKRUN#, PME#, LPCPD#, and LSMI# signals. This means peripherals connected to the debug port cannot utilize interrupt, DMA, bus mastering, or power management features. == LFRAME# reconnect == [[File:LFRAME-for-v1_3-and-up.png|thumb|200px|Disconnected LFRAME# can be reconstructed with via found on all [[MCPX]] revisions]] It is possible to reconnect the LFRAME# signal to the LPC port on 1.3-1.5 hardware by tapping the MCPX soldermask and soldering a jumper wire from the via to the disconnected pin on the LPC port. Result should look similar to this: [[File:Dreimer-lframe-v1-3-reconnect.jpg|500px|Image provided by dreimer]] In the end, we can gain kernel debug output from Super I/O serial again: [[File:Dreimer-lframe-v1-3-windbg.png|500px|Image provided by dreimer]] This reconnection was tested on 1.3 hardware, and should also work with the later 1.4 and 1.5 revisions. == References == * [https://web.archive.org/web/20140805105234/http://dwl.xbox-scene.com/~xbox/xbox-scene/tutorials/LFRAME-for-v1_3-and-up.pdf LFRAME-for-v1_3-and-up.pdf] An old manual from Xbox-Scene that explains how to reconnect '''LFRAME#''' (3) for a Cheapmod. This we don't care about, but is what we want for [[Kernel_Debug|kernel debugging]] via [[Super_I/O|Super I/O]]. Thanks to dreimer for finding and testing this documentation. f08d7bd3d7d8cbb7d8b47f83e6a311566961c6bf 0 12 6800 5845 2019-11-19T17:03:02Z PatrickvL 2473 inserted 3944, moved (*) after version number wikitext text/x-wiki The official XDK (Xbox Development Kit) was only released to licensed developers. However, it got leaked a couple of times. == List of known versions == {| class="wikitable" ! Version ! Comments |- ! 3424 | April 2001 XDK and SDK (03.01.01 - New for April XDK release) |- ! 3521 | May XDK 2001 |- ! 3911(*) | August XDK 2001 (( Final Hardware Recovery) (build on WIN2000 5. 2134/2195 ? 5.1.2258.400) |- ! 3925(*) | Retail? XDK |- ! 3936(*) | |- ! 3937(*) | |- ! 3941(*) | |- ! 3944(*) | Seen in 5933 symbols folder |- ! 3948(*) | |- ! 3950(*) | |- ! 4020(*) | Seen on an official Xbox recovery tool |- ! 4034(*) | |- ! 4039(*) | |- ! 4134(*) | December 2001 XDK |- ! 4242(*) | February 2002 XDK |- ! 4361 | March 2002 XDK |- ! 4400 | rare |- ! 4432 | April 2002 XDK |- ! 4531 | May 2002 XDK |- ! 4627 | June 2002 XDK |- ! 4721 | July 2002 XDK |- ! 4831 | August 2002 XDK |- ! 4928 | September 2002 XDK |- ! 5028 | October 2002 XDK |- ! 5120 | November 2002 XDK |- ! 5233 | December 2002 XDK |- ! 5344 | February 2003 XDK |- ! 5455 | April 2003 XDK |- ! 5558 | June 2003 XDK |- ! 5659 | August 2003 XDK |- ! 5788 | November 2003 XDK |- ! 5849 | December 2003 XDK |- ! 5849 | .16 |- ! 5933 | uncertain number - Dxbx code mentions 5911 (wich seemed incorrect) |- ! 5960 | last official dashboard |} (*) : Earlier XDK's contained libraries with different versions numbers. Before or around XDK version 4361, all libraries in the XDK were given the same version number. Note : An even more complete listing can be found here : http://codeasm.com/xbox/files/Xbox%20Kernel_Dash_XDK%20versions.txt 26f16400282c2379d61f7ab890038418a98b1102 0 3751 6801 6713 2019-12-11T14:25:36Z Codeasm 2480 /* Frogger Beyond */ added source for Frogger (disappointingly not much) wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] be4111a5710e582d74ec2d5ef33f1e5de3942f9c 6809 6801 2019-12-23T22:21:04Z JayFoxRox 2 Add analysis of 007 savegame exploit wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] e19ad3a59c8db7a265a0422dd1f9fd7b174ca574 6832 6809 2020-02-07T20:40:25Z Redherring32 2513 /* TEA attack (MCPX 1.1 only) */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. |- |'''Star Wars: Clone Wars - Volume Two''' [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' [[Battlefront]] Untested |- |'''Star Wars Trilogy DVD with Demo''' [[Lego Star Wars 2]] Untested |- |'''Star Wars: Clone Wars - Volume One''' [[Battlefront]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' [[Doom 3]] Untested |- |'''Hulk (Special Edition)''' [[Hulk]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' [[Van Helsing]] Untested |- |'''Clone Wars Volume 1''' [[Republic Commando]] Untested |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 2baebb0a433d3297753219842c9ce8bdedcac66d 0 3822 6802 6461 2019-12-15T21:44:00Z Redherring32 2513 Fixed various types, and adjusted some sentences to read easier/better. wikitext text/x-wiki There are a few hardware differences and software differences between development kits, but generally the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are differences internally from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the development kits and debugkits. Some rare boards are found with different MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unknown port) its been rumored that the blocked USB port (unblocked on DVT3) on the back of Development kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. The alpha hardware allowed kernel debugging to be done over one of the rs232 ports and standard WinDBG software can make these messages and control work. This allows of careful debugging of the running kernel to diagnose occuring faults or errors. At early boot of the recovery software, a network IP address is attempted, probably to setup for another way of diagnosing and remote control using the available software like later XDK software. The Alpha is built with the following parts or software: === Alpha I === * Intel VC820, running a pre-release BIOS * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforce 2 GTS 64MB * A xircom PCPGI2(OPTI 82C861) 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} * Hard drive is a WD205AA (20.5 Gb) or fujitsu MPF3204AT (20.4 Gb) * ATNG 250w or a 300w powersupply These were then programmed by use of a recovery disk that "recovered" the system. The case is a customized globalwin ycc-802. (color silver and an added jewel) === Alpha II === The Alpha II was an upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN * Nvidia Geforce3 NV20 (64MB ram) with a Pre-retail firmware (180-p0050-0000-a09) A supplied Recovery made the necessary firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha. Same hardware as a Alpha I/II, but you dont seem to need the pre-retail firmwares or BIOSes. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out sub-board isn't necessary, as VGA seems to work fine. color or different kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while intentionally incorrectly installing or configuring the computer. These results may vary with official parts, configs, BIOS or firmware. Or due to differences in hardware. These are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primary channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for the particular motherboard that was being tested. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS).DVT3 seems to have the back USB port to be uncovered and a slightly more glossy or shinier jewel on the top of the case. According to some sources, the DVT3 cannot be updated to further kernels/dashboards than 3911, the lowest/oldest being 3823.1(Borman said this?){{citation needed}} All functions a debug with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] e9b6375b1c8845719d1cb9329b471d68e6240a5e 6803 6802 2019-12-15T21:45:10Z Redherring32 2513 /* DVT3/DVT4 */ wikitext text/x-wiki There are a few hardware differences and software differences between development kits, but generally the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are differences internally from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the development kits and debugkits. Some rare boards are found with different MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unknown port) its been rumored that the blocked USB port (unblocked on DVT3) on the back of Development kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. The alpha hardware allowed kernel debugging to be done over one of the rs232 ports and standard WinDBG software can make these messages and control work. This allows of careful debugging of the running kernel to diagnose occuring faults or errors. At early boot of the recovery software, a network IP address is attempted, probably to setup for another way of diagnosing and remote control using the available software like later XDK software. The Alpha is built with the following parts or software: === Alpha I === * Intel VC820, running a pre-release BIOS * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforce 2 GTS 64MB * A xircom PCPGI2(OPTI 82C861) 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} * Hard drive is a WD205AA (20.5 Gb) or fujitsu MPF3204AT (20.4 Gb) * ATNG 250w or a 300w powersupply These were then programmed by use of a recovery disk that "recovered" the system. The case is a customized globalwin ycc-802. (color silver and an added jewel) === Alpha II === The Alpha II was an upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN * Nvidia Geforce3 NV20 (64MB ram) with a Pre-retail firmware (180-p0050-0000-a09) A supplied Recovery made the necessary firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha. Same hardware as a Alpha I/II, but you dont seem to need the pre-retail firmwares or BIOSes. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out sub-board isn't necessary, as VGA seems to work fine. color or different kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while intentionally incorrectly installing or configuring the computer. These results may vary with official parts, configs, BIOS or firmware. Or due to differences in hardware. These are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primary channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas or only for the particular motherboard that was being tested. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS).DVT3 seems to have the back USB port to be uncovered and a slightly more glossy or shinier jewel on the top of the case. According to some sources, the DVT3 cannot be updated to further kernels/dashboards than 3911, the lowest/oldest being 3823.1(Borman said this?){{citation needed}} Has all the functions of a debug, with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] c8b71bba5892fe5642ef859a5cfdb9cd70de88e0 6804 6803 2019-12-15T21:46:16Z Redherring32 2513 /* Posible solutions on fixing a (franken) alpha(2) */ wikitext text/x-wiki There are a few hardware differences and software differences between development kits, but generally the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more are differences internally from diferent MCP revisions, GPU revisions and board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the development kits and debugkits. Some rare boards are found with different MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unknown port) its been rumored that the blocked USB port (unblocked on DVT3) on the back of Development kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. The alpha hardware allowed kernel debugging to be done over one of the rs232 ports and standard WinDBG software can make these messages and control work. This allows of careful debugging of the running kernel to diagnose occuring faults or errors. At early boot of the recovery software, a network IP address is attempted, probably to setup for another way of diagnosing and remote control using the available software like later XDK software. The Alpha is built with the following parts or software: === Alpha I === * Intel VC820, running a pre-release BIOS * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforce 2 GTS 64MB * A xircom PCPGI2(OPTI 82C861) 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} * Hard drive is a WD205AA (20.5 Gb) or fujitsu MPF3204AT (20.4 Gb) * ATNG 250w or a 300w powersupply These were then programmed by use of a recovery disk that "recovered" the system. The case is a customized globalwin ycc-802. (color silver and an added jewel) === Alpha II === The Alpha II was an upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN * Nvidia Geforce3 NV20 (64MB ram) with a Pre-retail firmware (180-p0050-0000-a09) A supplied Recovery made the necessary firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha. Same hardware as a Alpha I/II, but you dont seem to need the pre-retail firmwares or BIOSes. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out sub-board isn't necessary, as VGA seems to work fine. color or different kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while intentionally incorrectly installing or configuring the computer. These results may vary with official parts, configs, BIOS or firmware. Or due to differences in hardware. These are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primary channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas, or only for the particular motherboard that was being tested. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS).DVT3 seems to have the back USB port to be uncovered and a slightly more glossy or shinier jewel on the top of the case. According to some sources, the DVT3 cannot be updated to further kernels/dashboards than 3911, the lowest/oldest being 3823.1(Borman said this?){{citation needed}} Has all the functions of a debug, with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] b8fa2bc7779313a0f78e38349a5e05ddd5dc3aa4 6805 6804 2019-12-15T21:48:15Z Redherring32 2513 wikitext text/x-wiki There are a few hardware differences and software differences between development kits, but generally the following hardware is known to be exist: * Alpha I and II kits * DVT3 Development Kits * DVT4 Development Kits * Debug kits Further more there are differences internally from different MCPX revisions, and GPU revisions, to different board layouts. Sega Chihiro boards seem to be based on DVT4 Development/Debug kits. either using overproduction or on purpose produced MCPX-X2 as found in the development kits and debugkits. Some rare boards are found with different MCPX chips that also have a special port near the CPU, and a extra USB port on the backside of the board (connected to the MCPX to unknown port) its been rumored that the blocked USB port (unblocked on DVT3) on the back of Development kits where either a leftover of these extra usb port or used for JVS development and/or testing. == Alpha == {{FIXME| needs checking with real ALpha 1 and 2}} Contructed using "off the shelf" hardware, probably before retail release from Intel. The alpha hardware allowed kernel debugging to be done over one of the rs232 ports and standard WinDBG software can make these messages and control work. This allows of careful debugging of the running kernel to diagnose occuring faults or errors. At early boot of the recovery software, a network IP address is attempted, probably to setup for another way of diagnosing and remote control using the available software like later XDK software. The Alpha is built with the following parts or software: === Alpha I === * Intel VC820, running a pre-release BIOS * 128Mb RDRAM with an terminator * 600Mhz CPU * Nvidia Geforce 2 GTS 64MB * A xircom PCPGI2(OPTI 82C861) 2 USB port PCI card * Intel 82559(ic) Network card {{FIXME}} * Hard drive is a WD205AA (20.5 Gb) or fujitsu MPF3204AT (20.4 Gb) * ATNG 250w or a 300w powersupply These were then programmed by use of a recovery disk that "recovered" the system. The case is a customized globalwin ycc-802. (color silver and an added jewel) === Alpha II === The Alpha II was an upgrade kit or constructed the same as a Alpha I with the following upgrades: * 733MHz CPU SL3XN * Nvidia Geforce3 NV20 (64MB ram) with a Pre-retail firmware (180-p0050-0000-a09) A supplied Recovery made the necessary firmware upgrades{{citation needed}} and updated the dashboard. === Franken Alpha === This is a listing of notes on how to make a Alpha I or II yourself, also known as a FrankenAlpha. Same hardware as a Alpha I/II, but you dont seem to need the pre-retail firmwares or BIOSes. Also, any Geforce3 is rumoured to work, as long as the GPU is of the NV20 series. The AV out sub-board isn't necessary, as VGA seems to work fine. color or different kinds of fans, cooling blocks or OEM vendor names doesnt seem to matter. The Opti usb board can be green, yellow or black. as long as the IC sports the 82C861 wording. if the VC820 sports any USB or Sound, it will not be used, the listed hardware boards are used instead, regardless of other hardware. (drivers arent in the kernel). ==== Posible solutions on fixing a (franken) alpha(2) ==== While fixing a frankenalpha, the following kernel errors occured while intentionally incorrectly installing or configuring the computer. These results may vary with official parts, configs, BIOS or firmware. Or due to differences in hardware. These are results from recovery 3521 as earlier ones did not work on the Alpha under test. ;IDEX hard disk not configured (status=51). :HDD too small ;IDEX hard disk not configured (status=ff). :HDD on the wrong bus, put on primary channel.(maybe wrong place on the cable itself) maybe add a jumper for master select? ;IDEX hard disk not found (status=7f). :HDD not connected (or dead) ;MP No video output because you are using an older video card. :Well, insert a Geforce3 card (NV20 based) ;WRN[XNET] EnetInitialize failed 0x801f0001 :Logo loads, with a halt when the sparkly bit is on the B of Xbox. The network card is missing, insert a GD82559 based intel network card FCC: EJMNPDALBANY (worked for me) ;[XNET] NicExecuteActionCmdAndWait failed!WRN[XNET] EnetInitialize failed 0x801f0001 :Network on wrong pci lane or no screen connected (VGA or S-video) * Tested Slot 1 as good (real close to the GPU, would not recommend) * Tested Slot 2 as not good * Tested Slot 3 as not good (*** Assertion failed: hwres.ResourceData.Address[0].Type == CmResourceTypeMemory * Tested Slot 4 as good * Tested Slot 5 as not good These might be wrong for official alphas, or only for the particular motherboard that was being tested. == Debug == Shaped and main parts consist of retail hardware with the following differences: * 128MB ram instead of default 64MB ram * MCPX revision X2, thus capable of running only Debug signed code{{FIXME|reason= can it still run retail code?}} * Hardisks loaded with retail and Debug shell files == DVT3/DVT4 == Harddisk is said to be locked by default with a 16size byte 0x00 key, but allowing to run with an unlocked harddrive of any size(larger then 20GB{{citation needed}} for minimal OS).DVT3 seems to have the back USB port to be uncovered and a slightly more glossy or shinier jewel on the top of the case. According to some sources, the DVT3 cannot be updated to further kernels/dashboards than 3911, the lowest/oldest being 3823.1(Borman said this?){{citation needed}} Has all the functions of a debug, with the addition of: * [[DVD_Emulator | DVD emulation]] * [[Kernel Debugging | Kernel_Debug]] over a dedicated [[Super_I/O | IO board ]] f226a371507df1a6a381ff4edc2af09aa2fea522 0 3768 6806 6687 2019-12-19T08:01:09Z JayFoxRox 2 Add source for dongle having to do with licensing wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 1bb84495821eb08b15a168d32049b3bd14280d66 0 3720 6807 6518 2019-12-22T23:47:26Z JayFoxRox 2 Add note about tweet which discusses Shrek wikitext text/x-wiki {{Game}} === Deferred Rendering === [[File:shrek-albedo.png|thumb|Albedo]] [[File:shrek-normals.png|thumb|Normals]] [[File:shrek-unk0.png|thumb|Lighting pass{{FIXME|reason=Might be something else}}]] [[File:shrek-unk1.png|thumb|Lighting pass{{FIXME|reason=Might be something else}}]] [[File:shrek-final.png|thumb|Final composition]] Shrek uses [[wikipedia:Deferred Rendering|Deferred Rendering]]. Rich Geldreich, a developer of the game, has written multiple articles about the topic[https://sites.google.com/site/richgel99/home]. === Notes === * [https://twitter.com/richgel999/status/1208238264240361472 Tweet by Rich Geldreich about development in preparation for E3 demo of Shrek] a86f617ce2f44ea99b3afc91a30c6d0115230fc3 0 3756 6808 6779 2019-12-23T17:51:38Z JayFoxRox 2 Add links to existing PCB information wikitext text/x-wiki For a list of differences between these mainboards, also see [[Hardware Revisions]]. == Xbox 1.0 == * [https://docs.google.com/spreadsheets/d/1oT4OtE95sguxA5KZrlwC_XEF3nlpzrql1ESycBGPtDA/edit#gid=0 Some measurements of passive components by Redherring32 (The Fish)]{{FIXME|reason=Taken from https://discordapp.com/channels/428359196719972353/428359434230693899/592363537343447040}} [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] The following table is based on an Xbox 1.0{{citation needed}} retail board. {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} === USB Daughterboard === * [https://github.com/Teufelchen1/XBOX-USB-HUB Homemade PCB remake by Teufelchen] [[File:USB_Daughterboard_front.png|100px|thumb|right|Xbox Version 1.0 USB Daughterboard]] {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == Xbox 1.1 == * [https://web.archive.org/web/20180210173816/http://diy.sickmods.net/Tutorials/Xbox1/Hi-Res_Scans/ PCB scan by SICKmods]{{FIXME|reason=Should live in some repo or something; we also have permission to this; https://discordapp.com/channels/428359196719972353/428359434230693899/561462101214756876 / https://media.discordapp.net/attachments/428359434230693899/561462101214756874/image0.png}} {{FIXME}} == Xbox 1.2 == {{FIXME}} == Xbox 1.3 == {{FIXME}} == Xbox 1.4 == * [https://drive.google.com/drive/folders/17s6jIVTE3YztuqDr-ZxkhhXRutcDdY9O PCB scan by LoveMHz]{{FIXME|reason=Should live in some repo or something}} {{FIXME}} == Xbox 1.5 == {{FIXME}} == Xbox 1.6 == * [https://web.archive.org/web/20180210173816/http://diy.sickmods.net/Tutorials/Xbox1/Hi-Res_Scans/ PCB scan by SICKmods]{{FIXME|reason=Should live in some repo or something; we also have permission to this; https://discordapp.com/channels/428359196719972353/428359434230693899/561462101214756876 / https://media.discordapp.net/attachments/428359434230693899/561462101214756874/image0.png}} {{FIXME}} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm Documentation by PiXEL8] 71b57b43b051482853ca5b2eb7712458e4e2326a 0 8 6810 6788 2019-12-30T18:05:59Z JayFoxRox 2 Add some BRDF links wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth |DOT_PRODUCT_DEPTH_REPLACE_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} === 0x08: PS_TEXTUREMODES_BRDF / texbrdf === The BRDF texture shader is probably only exposed on original Xbox, but not in standard OpenGL or D3D drivers. These are some generic resources about BRDFs: * [https://math.nist.gov/~FHunt/appearance/brdf.html Collection of BRDF information] * [http://www-graphics.stanford.edu/~smr/brdf/bv/ BRDF viewer]{{FIXME|reason=Find alternative; this one is hard to compile}} * [https://www.merl.com/brdf/ BRDF Database by Mitsubishi] {{FIXME|reason=Describe Xbox specific BRDF texture shader}} {{FIXME|reason=Describe Xbox specific BRDF texture shader}} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] dcd8e8ce32293f4af5361ea0399ad1b9e30ff0d6 6812 6810 2019-12-30T18:29:15Z JayFoxRox 2 Add more nvidia BRDF links wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth |DOT_PRODUCT_DEPTH_REPLACE_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} === 0x08: PS_TEXTUREMODES_BRDF / texbrdf === The BRDF texture shader is probably only exposed on original Xbox, but not in standard OpenGL or D3D drivers. These are some generic resources about BRDFs: * [https://math.nist.gov/~FHunt/appearance/brdf.html Collection of BRDF information] * [http://www-graphics.stanford.edu/~smr/brdf/bv/ BRDF viewer]{{FIXME|reason=Find alternative; this one is hard to compile}} * [https://www.merl.com/brdf/ BRDF Database by Mitsubishi] * nvidia resources ''(The code and technique is probably not using the texture shader that is described here)'': ** [http://www.nvidia.in/attach/6670 BRDFs.pdf] / [http://www.nvidia.in/attach/6669 BRDFs.ppt] ** [https://www.nvidia.com/attach/6568 BRDFIntro.pdf] / [https://www.nvidia.com/attach/6569 BRDFIntro.doc] ** [https://www.nvidia.com/attach/6567 BRDFSeparable.pdf] / [https://www.nvidia.com/attach/6566 BRDFSeparable.doc] ** [https://www.nvidia.com/attach/6570 brdfseparate.zip] ** [https://www.nvidia.com/attach/6571 brdfview.zip] {{FIXME|reason=Describe Xbox specific BRDF texture shader}} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] d2cc600e7a99a41e5a06e45659a735b13d07ad42 6817 6812 2020-01-01T20:58:59Z JayFoxRox 2 BRDFSeparable.pdf currently not available through nvidia.com; use nvidia.co.uk wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth |DOT_PRODUCT_DEPTH_REPLACE_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} === 0x08: PS_TEXTUREMODES_BRDF / texbrdf === The BRDF texture shader is probably only exposed on original Xbox, but not in standard OpenGL or D3D drivers. These are some generic resources about BRDFs: * [https://math.nist.gov/~FHunt/appearance/brdf.html Collection of BRDF information] * [http://www-graphics.stanford.edu/~smr/brdf/bv/ BRDF viewer]{{FIXME|reason=Find alternative; this one is hard to compile}} * [https://www.merl.com/brdf/ BRDF Database by Mitsubishi] * nvidia resources ''(The code and technique is probably not using the texture shader that is described here)'': ** [http://www.nvidia.in/attach/6670 BRDFs.pdf] / [http://www.nvidia.in/attach/6669 BRDFs.ppt] ** [https://www.nvidia.com/attach/6568 BRDFIntro.pdf] / [https://www.nvidia.com/attach/6569 BRDFIntro.doc] ** [https://www.nvidia.co.uk/attach/6567 BRDFSeparable.pdf] / [https://www.nvidia.com/attach/6566 BRDFSeparable.doc] ** [https://www.nvidia.com/attach/6570 brdfseparate.zip] ** [https://www.nvidia.com/attach/6571 brdfview.zip] {{FIXME|reason=Describe Xbox specific BRDF texture shader}} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] 575c9b1e518aa3d701261948a59f1ad938a9e2a7 6819 6817 2020-01-04T02:12:33Z JayFoxRox 2 Add works by Disney wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth |DOT_PRODUCT_DEPTH_REPLACE_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} === 0x08: PS_TEXTUREMODES_BRDF / texbrdf === The BRDF texture shader is probably only exposed on original Xbox, but not in standard OpenGL or D3D drivers. These are some generic resources about BRDFs: * [http://www.disneyanimation.com/technology/brdf.html Walt Disney BRDF Explorer] * [https://disney-animation.s3.amazonaws.com/library/s2012_pbs_disney_brdf_notes_v2.pdf Walt Disney BRDF Paper] * [https://math.nist.gov/~FHunt/appearance/brdf.html Collection of BRDF information] * [http://www-graphics.stanford.edu/~smr/brdf/bv/ BRDF viewer]{{FIXME|reason=Find alternative; this one is hard to compile}} * [https://www.merl.com/brdf/ BRDF Database by Mitsubishi] * nvidia resources ''(The code and technique is probably not using the texture shader that is described here)'': ** [http://www.nvidia.in/attach/6670 BRDFs.pdf] / [http://www.nvidia.in/attach/6669 BRDFs.ppt] ** [https://www.nvidia.com/attach/6568 BRDFIntro.pdf] / [https://www.nvidia.com/attach/6569 BRDFIntro.doc] ** [https://www.nvidia.co.uk/attach/6567 BRDFSeparable.pdf] / [https://www.nvidia.com/attach/6566 BRDFSeparable.doc] ** [https://www.nvidia.com/attach/6570 brdfseparate.zip] ** [https://www.nvidia.com/attach/6571 brdfview.zip] {{FIXME|reason=Describe Xbox specific BRDF texture shader}} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] 2d3ace46d39440693aa004286eed46f5dcc42ed4 0 3 6811 6604 2019-12-30T18:18:05Z JayFoxRox 2 Add some more talks / links wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Deferred Shading === * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics == * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * http://download.nvidia.com/developer/Third_Party/ 1f5fe54fec97fe6466b2d651ba20a9d377c4a7a4 6814 6811 2019-12-30T19:00:10Z JayFoxRox 2 Add more links about graphics programming wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Deferred Shading === * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics and interesting effects == * Meltdown 2001 (Microsoft Game development conference): [https://web.archive.org/web/20060203201117/https://www.microsoft.com/mscorp/corpevents/meltdown2001/presentations.asp Presentation slides] * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * http://download.nvidia.com/developer/Third_Party/ * http://iquilezles.org/www/index.htm * https://web.archive.org/web/20150408045127/http://freespace.virgin.net/hugo.elias/ * http://www.mvps.org/directx/indexes/ * https://www.gdcvault.com/play/247/CRYSIS-Next-Gen ''(Contains some parts which are also applicable to original Xbox)'' * [https://www.valvesoftware.com/en/publications Publications by Valve Software] * http://graphics.uni-konstanz.de/publikationen/Luft2006ImageEnhancementUnsharp/Luft2006ImageEnhancementUnsharp.pdf c84083896552806f9bdbed3abcb111007acbed8e 6815 6814 2019-12-30T19:04:18Z JayFoxRox 2 Add Wrecked links wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Post processing === * CEDEC2002: [https://web.archive.org/web/20031212044938/http://www.daionet.gr.jp/~masa/column/2002-09-22.html DOUBLE-S.T.E.A.L techniques] ''(Japanese)'' * GDC2003: [https://web.archive.org/web/20031212140633/http://www.daionet.gr.jp/~masa/column/2003-03-21.html Frame Buffer Postprocessing Effects in DOUBLE-S.T.E.A.L (Wreckless)] ''(English)'' === HDR rendering === * GDC2004: [https://web.archive.org/web/20060404103630/http://www.daionet.gr.jp/~masa/column/2004-04-04.html Practical Implementation of High Dynamic Range Rendering] === Deferred Shading === * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics and interesting effects == * Meltdown 2001 (Microsoft Game development conference): [https://web.archive.org/web/20060203201117/https://www.microsoft.com/mscorp/corpevents/meltdown2001/presentations.asp Presentation slides] * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * http://download.nvidia.com/developer/Third_Party/ * http://iquilezles.org/www/index.htm * https://web.archive.org/web/20150408045127/http://freespace.virgin.net/hugo.elias/ * http://www.mvps.org/directx/indexes/ * https://www.gdcvault.com/play/247/CRYSIS-Next-Gen ''(Contains some parts which are also applicable to original Xbox)'' * [https://www.valvesoftware.com/en/publications Publications by Valve Software] * http://graphics.uni-konstanz.de/publikationen/Luft2006ImageEnhancementUnsharp/Luft2006ImageEnhancementUnsharp.pdf 26076b08ef4a090574d83524c6e0f8fedf1b6c73 6816 6815 2019-12-30T19:07:22Z JayFoxRox 2 Add more links and categorize background knowledge wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Post processing === * CEDEC2002: [https://web.archive.org/web/20031212044938/http://www.daionet.gr.jp/~masa/column/2002-09-22.html DOUBLE-S.T.E.A.L techniques] ''(Japanese)'' * GDC2003: [https://web.archive.org/web/20031212140633/http://www.daionet.gr.jp/~masa/column/2003-03-21.html Frame Buffer Postprocessing Effects in DOUBLE-S.T.E.A.L (Wreckless)] ''(English)'' === HDR rendering === * GDC2004: [https://web.archive.org/web/20060404103630/http://www.daionet.gr.jp/~masa/column/2004-04-04.html Practical Implementation of High Dynamic Range Rendering] === Deferred Shading === * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics == === Graphics programming === * Meltdown 2001 (Microsoft Game development conference): [https://web.archive.org/web/20060203201117/https://www.microsoft.com/mscorp/corpevents/meltdown2001/presentations.asp Presentation slides] * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * http://download.nvidia.com/developer/Third_Party/ * http://iquilezles.org/www/index.htm * https://web.archive.org/web/20150408045127/http://freespace.virgin.net/hugo.elias/ * http://www.mvps.org/directx/indexes/ * https://www.gdcvault.com/play/247/CRYSIS-Next-Gen ''(Contains some parts which are also applicable to original Xbox)'' * [https://www.valvesoftware.com/en/publications Publications by Valve Software] * http://graphics.uni-konstanz.de/publikationen/Luft2006ImageEnhancementUnsharp/Luft2006ImageEnhancementUnsharp.pdf * [https://web.archive.org/web/20090518092325/http://www.daionet.gr.jp:80/~masa/column/index.html Masa's Column (DOUBLE-S.T.E.A.L / Wrecked developer)] * [https://fgiesen.wordpress.com/ Blog by ryg] e65b59717463f601b1f09b207edc37074c0329ad 6818 6816 2020-01-03T21:49:11Z JayFoxRox 2 Add Filmic Worlds as graphics resource wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Post processing === * CEDEC2002: [https://web.archive.org/web/20031212044938/http://www.daionet.gr.jp/~masa/column/2002-09-22.html DOUBLE-S.T.E.A.L techniques] ''(Japanese)'' * GDC2003: [https://web.archive.org/web/20031212140633/http://www.daionet.gr.jp/~masa/column/2003-03-21.html Frame Buffer Postprocessing Effects in DOUBLE-S.T.E.A.L (Wreckless)] ''(English)'' === HDR rendering === * GDC2004: [https://web.archive.org/web/20060404103630/http://www.daionet.gr.jp/~masa/column/2004-04-04.html Practical Implementation of High Dynamic Range Rendering] === Deferred Shading === * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics == === Graphics programming === * Meltdown 2001 (Microsoft Game development conference): [https://web.archive.org/web/20060203201117/https://www.microsoft.com/mscorp/corpevents/meltdown2001/presentations.asp Presentation slides] * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * http://download.nvidia.com/developer/Third_Party/ * http://iquilezles.org/www/index.htm * https://web.archive.org/web/20150408045127/http://freespace.virgin.net/hugo.elias/ * http://www.mvps.org/directx/indexes/ * https://www.gdcvault.com/play/247/CRYSIS-Next-Gen ''(Contains some parts which are also applicable to original Xbox)'' * [https://www.valvesoftware.com/en/publications Publications by Valve Software] * http://graphics.uni-konstanz.de/publikationen/Luft2006ImageEnhancementUnsharp/Luft2006ImageEnhancementUnsharp.pdf * [https://web.archive.org/web/20090518092325/http://www.daionet.gr.jp:80/~masa/column/index.html Masa's Column (DOUBLE-S.T.E.A.L / Wrecked developer)] * [https://fgiesen.wordpress.com/ Blog by ryg] * [http://filmicworlds.com/blog/ Filmic Worlds] 8d1168d9e1b13b139da10f6cc783dc3df409b40b 6820 6818 2020-01-04T02:14:27Z JayFoxRox 2 Add AMD CubeMapGen link wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Post processing === * CEDEC2002: [https://web.archive.org/web/20031212044938/http://www.daionet.gr.jp/~masa/column/2002-09-22.html DOUBLE-S.T.E.A.L techniques] ''(Japanese)'' * GDC2003: [https://web.archive.org/web/20031212140633/http://www.daionet.gr.jp/~masa/column/2003-03-21.html Frame Buffer Postprocessing Effects in DOUBLE-S.T.E.A.L (Wreckless)] ''(English)'' === HDR rendering === * GDC2004: [https://web.archive.org/web/20060404103630/http://www.daionet.gr.jp/~masa/column/2004-04-04.html Practical Implementation of High Dynamic Range Rendering] === Deferred Shading === * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics == === Graphics programming === * Meltdown 2001 (Microsoft Game development conference): [https://web.archive.org/web/20060203201117/https://www.microsoft.com/mscorp/corpevents/meltdown2001/presentations.asp Presentation slides] * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * http://download.nvidia.com/developer/Third_Party/ * http://iquilezles.org/www/index.htm * https://web.archive.org/web/20150408045127/http://freespace.virgin.net/hugo.elias/ * http://www.mvps.org/directx/indexes/ * https://www.gdcvault.com/play/247/CRYSIS-Next-Gen ''(Contains some parts which are also applicable to original Xbox)'' * [https://www.valvesoftware.com/en/publications Publications by Valve Software] * http://graphics.uni-konstanz.de/publikationen/Luft2006ImageEnhancementUnsharp/Luft2006ImageEnhancementUnsharp.pdf * [https://web.archive.org/web/20090518092325/http://www.daionet.gr.jp:80/~masa/column/index.html Masa's Column (DOUBLE-S.T.E.A.L / Wrecked developer)] * [https://fgiesen.wordpress.com/ Blog by ryg] * [http://filmicworlds.com/blog/ Filmic Worlds] * [https://gpuopen.com/archive/gamescgi/cubemapgen/ AMD CubeMapGen tool for mipmapping cubemaps] f2548616e1c1a7337e2d16d39c39df5119f2a99f 0 9 6813 6637 2019-12-30T18:51:10Z JayFoxRox 2 Add an interesting nvidia paper which describes some vertex shader tricks wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- !Index !GL Name !D3D Name !Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- !Meaning !Word !Offset (bits) !Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- !Value !Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} == Related links == * nvidia resources ** [https://www.nvidia.com/attach/6559 WhereIsThatVertexShaderInstruction.pdf] / [https://www.nvidia.com/attach/6560 WhereIsThatVertexShaderInstruction.doc] * [https://github.com/envytools/envytools/blob/master/nvhw/pgraph_celsius_xfrm.c Code which appears to implement bit-accurate emulation of some instructions]{{FIXME|reason=Unconfirmed, needs testing}} [[Category:NV2A]] c26df947694641d8f5413e7250675c3a7c6a7220 0 3707 6821 6727 2020-01-05T02:55:17Z LoveMHz 2521 /* Further Reading */ wikitext text/x-wiki The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter{{FIXME|reason=This is under control of running application / variation even in official products?}} ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | N/A | [[Config Sector|Config Area]] | 0x00000000 | 0x00080000 | Fixed Structure | N/A |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition3 |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition4 |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition5 |- | C | System | 0x8ca80000 | 0x1f400000 | FATX | \Device\Harddisk0\Partition2 |- | E | Data | 0xabe80000 | 0x131f00000 | FATX | \Device\Harddisk0\Partition1 |} ::::::::::::::::::::::''side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"'' ::::::::::::::::::::::''and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"''{{FIXME|reason=Mark as unofficial / homebrew}} :::::::::::::::::::::::::&nbsp;&nbsp;&nbsp;''added Drive "G:" <=> "\Device\Harddisk0\Partition7"''{{FIXME|reason=Mark as unofficial / homebrew}} '''Debug/Devkit HDD:''' {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] |- |} '''FIXME:''' * Add info on how extended partitions are added. == Locking == The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot. === Unlocking for Backups === Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [https://web.archive.org/web/20150502210033/http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] * [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] b922a582a50cf5f77b37972c2bab87a527663ade 0 3700 6822 6784 2020-01-20T03:28:57Z JayFoxRox 2 Add Samsung SH-D162C stock links wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{FIXME|reason=Link missing}} <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123082109/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA | |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 717c3b21d8bd1bea6d8075e138cce780012269c8 6823 6822 2020-01-20T03:30:04Z JayFoxRox 2 Undo previous change - those were SH-D162D links wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE | |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE | |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE | |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA | |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA | |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 972c6a8a54b442e5642aac262068b9d645129e18 6824 6823 2020-01-20T03:53:25Z JayFoxRox 2 Add more firmwares via https://web.archive.org/web/*/http://www.samsungodd.com/* wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03^Korean] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04^Korean] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00^Korean] |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA |[https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe CH01] |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] da8b0e319c83c4c3b0868e4e7891fa7c7fc358ba 6825 6824 2020-01-20T04:16:09Z JayFoxRox 2 TS-H353B CH01 link is dead wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03^Korean] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04^Korean] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] |rowspan=2 | * SB00 Kreon 0.60 (July 30th 2006) * SB00 Kreon 0.80 (September 9th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00^Korean] |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA |CH01{{FIXME|reason=https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe dead}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] d5d2319c26df4e4a536be8e82a02f6f4016d9b43 6826 6825 2020-01-20T05:23:14Z JayFoxRox 2 Listed more Kreon versions for SH-D162C wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03^Korean] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04^Korean] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] |rowspan=2 | * TS04 Kreon 0.5 (June 23rd 2006) * TS04 Kreon 0.60 (July 30th 2006) * TS04 Kreon 0.80 (September 9th 2006) * TS04{{FIXME|reason=README claims SB00}} Kreon 0.81 (October 4th 2006) * TS05{{FIXME|reason=README claims SB01}} Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00^Korean] |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA |CH01{{FIXME|reason=https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe dead}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * TSDNMAC for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * TSDNWIN for Microsoft Windows Vista and 7 * Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 39cc71f471fb5d02a41aaf5995717f4d50314c53 6827 6826 2020-01-20T19:30:19Z JayFoxRox 2 Add more flashing software wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03^Korean] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04^Korean] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] |rowspan=2 | * TS04 Kreon 0.5 (June 23rd 2006) * TS04 Kreon 0.60 (July 30th 2006) * TS04 Kreon 0.80 (September 9th 2006) * TS04{{FIXME|reason=README claims SB00}} Kreon 0.81 (October 4th 2006) * TS05{{FIXME|reason=README claims SB01}} Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00^Korean] |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA |CH01{{FIXME|reason=https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe dead}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * [https://web.archive.org/web/20160904080433/http://www.tsstodd.com:80/TotalLib/popup/Download.asp?path=program&lang=eng&fname=TSDNMAC.ZIP TSDNMAC] for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * [https://web.archive.org/web/20100105230358/http://samsungodd.com/KorLib/File/Tsdnwin.exe TSDNWIN] for Microsoft Windows Vista and 7 * [https://web.archive.org/web/20060328075340/http://www.samsungodd.com/eng/information/Application/Files/sfdndos.exe SFDNDOS] [https://web.archive.org/web/20060328072528/http://www.samsungodd.com/eng/information/Application/Files/Sfdndosm.exe SNFDOSM] and the newer TSDNDOS for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 1f4021c2476023337e188ff4f3734169ad59a840 6831 6827 2020-01-24T18:19:19Z JayFoxRox 2 Add TSDNDOS link and fix typo wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03^Korean] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04^Korean] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] |rowspan=2 | * TS04 Kreon 0.5 (June 23rd 2006) * TS04 Kreon 0.60 (July 30th 2006) * TS04 Kreon 0.80 (September 9th 2006) * TS04{{FIXME|reason=README claims SB00}} Kreon 0.81 (October 4th 2006) * TS05{{FIXME|reason=README claims SB01}} Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00^Korean] |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA |CH01{{FIXME|reason=https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe dead}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * [https://web.archive.org/web/20160904080433/http://www.tsstodd.com:80/TotalLib/popup/Download.asp?path=program&lang=eng&fname=TSDNMAC.ZIP TSDNMAC] for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * [https://web.archive.org/web/20100105230358/http://samsungodd.com/KorLib/File/Tsdnwin.exe TSDNWIN] for Microsoft Windows Vista and 7 * [https://web.archive.org/web/20060328075340/http://www.samsungodd.com/eng/information/Application/Files/sfdndos.exe SFDNDOS] [https://web.archive.org/web/20060328072528/http://www.samsungodd.com/eng/information/Application/Files/Sfdndosm.exe SFDNDOSM] and the newer TSDNDOS ([https://www.dell.com/support/home/de/de/debsdt1/drivers/driversdetails?driverid=r205571 included here]) for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] b5012077c8180974b6830aa37210eaaf63564d46 0 3669 6828 6783 2020-01-21T20:03:48Z JayFoxRox 2 Combine existing GDR-8050L DVD drive sections (also fixes structure of article) wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. ==== PHILLIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at Xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 3c4ceca02157eb06b9e022126dfcf0ebc013c7f8 6829 6828 2020-01-21T21:51:17Z JayFoxRox 2 Add link to "djhuevo script" wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. ==== PHILLIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 239a761770d8b24bc114b9b5918c5c4148417b23 6830 6829 2020-01-21T22:36:36Z JayFoxRox 2 Add note about Commodore4Eva firmwares wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILLIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 5012285db9b28bcc3ed675d9b19d8208c11015f7 0 11 6833 6766 2020-02-09T06:00:25Z DiscoStarslayer 2509 Add Microsoft Gamepad Hardware revision findings to Wiki wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest Known Model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S {{FIXME|Reason=Missing Sticker on sample, name extrapolated from other models}} |Unknown{{FIXME|Reason=Missing Sticker}} |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |x800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 64 | 8 idProduct: 0x0202 | 0x0289 bcdDevice: 1.00 | 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.20 | 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 7c8bc0d2c1575e5a2023e9bb3fdd5007989b2c67 6834 6833 2020-02-09T17:27:40Z DiscoStarslayer 2509 Fixed some typos wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest Known Model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S {{FIXME|Reason=Missing Sticker on sample, name extrapolated from other models}} |Unknown{{FIXME|Reason=Missing Sticker}} |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |x800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 23cc8e85993b6424250c1c458c2d816ae431554c 6835 6834 2020-02-09T17:49:46Z DiscoStarslayer 2509 Added new controller discovery, 23-0923A wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest Known Model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S {{FIXME|Reason=Missing Sticker on sample, name extrapolated from other models}} |Unknown{{FIXME|Reason=Missing Sticker}} |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== 23-0923A ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 366be741fac69563b76ad724016526bc6174a7e5 6836 6835 2020-02-09T20:35:33Z DiscoStarslayer 2509 Captured 23-0923A lsusb dump wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest Known Model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S {{FIXME|Reason=Missing Sticker on sample, name extrapolated from other models}} |Unknown{{FIXME|Reason=Missing Sticker}} |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 745adb7a74b72bdb4e4ab26dbe5b4808b679938a 6837 6836 2020-02-09T21:39:04Z DiscoStarslayer 2509 Add new duke discoveries wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S {{FIXME|Reason=Missing Sticker on sample, name extrapolated from other models}} |Unknown{{FIXME|Reason=Missing Sticker}} |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 5d2e5ad8255542ddf22a1cb619cdc58fb35a2c71 6838 6837 2020-02-09T21:42:26Z DiscoStarslayer 2509 Document USB Descriptor changes wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S {{FIXME|Reason=Missing Sticker on sample, name extrapolated from other models}} |Unknown{{FIXME|Reason=Missing Sticker}} |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] e415ea90fe6d4ac166196d39fcdb716a83a63fd8 6839 6838 2020-02-09T21:58:10Z DiscoStarslayer 2509 Found new source for 23-0923B stickers wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] 2bbae8ec671586eceed2f5787d67dde0d494961c 6840 6839 2020-02-09T22:05:48Z DiscoStarslayer 2509 Add link to hardware research spreadsheet wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B Descriptors ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] c6e1930ae6d5cc00ad78f205ced1a5c4910ad4ec 6841 6840 2020-02-09T22:06:11Z DiscoStarslayer 2509 Title consistency wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] da43f523be87c30f4c9b7c7981770d3ed9c11876 6842 6841 2020-02-09T22:20:43Z DiscoStarslayer 2509 Add transparent green revision details wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter. Decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 39f9c144abd49f4dabf77aef06e6840bd9594a14 0 3701 6843 6701 2020-04-07T22:06:18Z Chipsnapper 2523 changed Symantec link to archive.org, pdf file has been removed wikitext text/x-wiki Xbox 360 Backward Compatibility is Microsofts original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPRDT section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://web.archive.org/web/20070216172548/https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? eax points to a zero terminated list of pointers into the kernel memory [7 elements] |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? " [4 elements] |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? Seems to be some call to that address?! |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? " [3 elements] |- | colspan="3" | Cleaner list starts here {{FIXME}} |- | 0x04 || 0x20 || |- | 0x04 || 0x20 || |- | 0x04 || 0x21 || |- | 0x04 || 0x22 || |- | 0x04 || 0x23 || |- | 0x04 || 0x24 || |- | 0x04 || 0x35 || |- | 0x04 || 0x50 || |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? Memory is 0x00 filled before. location is 0x8002b420, size would be 0x3000 |- | 0x06 || 0x02 || |- | 0x06 || 0x20 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x21 || |- | 0x06 || 0x22 || |- | 0x06 || 0x23 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x24 || |- | 0x06 || 0x25 || |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x40 || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages (Microsoft) page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://randomascii.wordpress.com/2019/03/20/exercises-in-emulation-xbox-360s-fma-instruction/ Blog post about FMA math emulation by Bruce Dawson (Microsoft)] * [https://www.youtube.com/watch?v=Da_ont-2AG0 Modern Vintage Gamer: Revisiting Original Xbox Backward Compatibility on the Xbox 360] b26bca1cc409091d9ffac92d5780bb38afccde94 0 3995 6844 2020-04-07T22:07:39Z Chipsnapper 2523 Redirected page to [[Xbox 360 Backward Compatibility]] wikitext text/x-wiki #REDIRECT[[Xbox 360 Backward Compatibility]] 558670c3443bc50dfde79fcef49ba13a183cc024 0 1 6845 6763 2020-04-07T22:08:46Z Chipsnapper 2523 /* Emulation */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Fusion]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] bd4f18d023b4e59e74d1a34408a5f13cca98c9a3 6847 6845 2020-04-07T22:25:15Z Chipsnapper 2523 wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 59f3601fd013c666f6c4cbd5f099f90bdaca8e03 0 3996 6846 2020-04-07T22:24:52Z Chipsnapper 2523 Created page with "'''Fission''' is Microsoft's Xbox emulator for Xbox One. Games run at four times native resolution on Xbox One and sixteen times native resolution on Xbox One X. ==Reference..." wikitext text/x-wiki '''Fission''' is Microsoft's Xbox emulator for Xbox One. Games run at four times native resolution on Xbox One and sixteen times native resolution on Xbox One X. ==References and links== * [https://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility The Untold Story of Xbox One Backwards Compatibility - IGN] * [https://en.wikipedia.org/wiki/List_of_backward_compatible_games_for_Xbox_One#List_of_compatible_titles_from_Xbox Compatible game list] d0941d8b4cd7149afe0355d132f69f5d9e3a1b6f 6 3997 6848 2020-04-14T23:17:44Z Espes 2484 Test Upload Please Ignore wikitext text/x-wiki Test Upload Please Ignore ff5a8d0c9517080598a6135412de952bcd1c8258 2 3948 6849 6794 2020-04-16T12:50:36Z JayFoxRox 2 /* Savegame notes */ wikitext text/x-wiki For contact details, see http://jannikvogel.de/ = Unfinished information = == Savegame notes == ''Most of this had already been documented in [[Xbox Savegame System]]'' There's no database or anything for savegames - the directory-listing APIs are used to enumerate all savegames. The data is obviously in E:/UDATA/. Each XBE has a subdirectory for it's title-id. Then each save is a subdirectory (I'm not sure about the name; but it's some 48-bit hex value). XAPI would normally initialize title-images before `main()` of the XBE. The data is copied from sections "$$XTIMAGE" (TitleImage.xbx) and "$XSIMAGE" (saveimage.xbx in savegame folder). I believe the saveimage can differ for different save-games, which implies that they probably have another API. I'm also not sure where it would put saveimages, because no savegame exists then. The images are [[XPR]], and could theoretically be any format supported by the GPU. The dashboard expects them to be swizzled (checks on load imply this), but linear textures might still work. Metadata is stored in TitleMeta.xbx and SaveMeta.xbx (in savegame folder). I'm not sure when / how they are initialized. I'm not sure if they are already shown in the dashboard, even if metadata is missing. Metadata are INI files, which are implicitly prefixed with `[default]`. I don't think there's any comments allowed. I believe that XAPI has a hardcoded emitter. Whereas the dashboard has some INI parser. I'm not sure about the parser in XAPI (or if it even has one). I believe metadata also supports keys without values. When reading, it will try to read a localized version first, before reading from the `[default]` section. I have looked at many savegames, but had never seen this. I'm not sure if this was ever used. I believe the metadata files can be ASCII or Unicode (using [https://en.wikipedia.org/wiki/Byte_order_mark Unicode BOM prefix]) Titledata in E:/TDATA is similar. The user soundtrack / music collection is using a database file. See [[Soundtracks]]. === NoCopy flag === https://www.reddit.com/r/originalxbox/comments/c6pvi2/modify_xbox_game_saves/esb7omf/ === TitleMeta.xbx locales === Put this into a file and move it to "E:/UDATA/13371337/TitleMeta.xbx" and check which languages your MS dashboard supports. I have dumped the locales from a list in xboxdash.xbe in dashboard version 1.00.5960.01 from Germany. I've then tried all languages that my Xbox dashboard supported in NTSC mode. <pre> TitleName=#Known locale - (fallback, same as [default]) [ZW] TitleName=#Unknown locale [zw] [ZA] TitleName=#Unknown locale [za] [YE] TitleName=#Unknown locale [ye] [VN] TitleName=#Unknown locale [vn] [VE] TitleName=#Unknown locale [ve] [UZ] TitleName=#Unknown locale [uz] [UY] TitleName=#Unknown locale [uy] [US] TitleName=#Unknown locale [us] [UA] TitleName=#Unknown locale [ua] [TW] TitleName=#Unknown locale [tw] [TT] TitleName=#Unknown locale [tt] [TR] TitleName=#Unknown locale [tr] [TN] TitleName=#Unknown locale [tn] [TH] TitleName=#Unknown locale [th] [SY] TitleName=#Unknown locale [sy] [SV] TitleName=#Unknown locale [sv] [SK] TitleName=#Unknown locale [sk] [SI] TitleName=#Unknown locale [si] [SG] TitleName=#Unknown locale [sg] [SE] TitleName=#Unknown locale [se] [SA] TitleName=#Unknown locale [sa] [RU] TitleName=#Unknown locale [ru] [RO] TitleName=#Unknown locale [ro] [QA] TitleName=#Unknown locale [qa] [PY] TitleName=#Unknown locale [py] [PT] TitleName=#Unknown locale [pt] [PR] TitleName=#Unknown locale [pr] [PL] TitleName=#Unknown locale [pl] [PK] TitleName=#Unknown locale [pk] [PH] TitleName=#Unknown locale [ph] [PE] TitleName=#Unknown locale [pe] [PA] TitleName=#Unknown locale [pa] [OM] TitleName=#Unknown locale [om] [NZ] TitleName=#Unknown locale [nz] [NO] TitleName=#Unknown locale [no] [NL] TitleName=#Unknown locale [nl] [NI] TitleName=#Unknown locale [ni] [MY] TitleName=#Unknown locale [my] [MX] TitleName=#Unknown locale [mx] [MV] TitleName=#Unknown locale [mv] [MO] TitleName=#Unknown locale [mo] [MN] TitleName=#Unknown locale [mn] [MK] TitleName=#Unknown locale [mk] [MC] TitleName=#Unknown locale [mc] [MA] TitleName=#Unknown locale [ma] [LY] TitleName=#Unknown locale [ly] [LV] TitleName=#Unknown locale [lv] [LU] TitleName=#Unknown locale [lu] [LT] TitleName=#Unknown locale [lt] [LI] TitleName=#Unknown locale [li] [LB] TitleName=#Unknown locale [lb] [KZ] TitleName=#Unknown locale [kz] [KW] TitleName=#Unknown locale [kw] [KR] TitleName=#Unknown locale [kr] [KG] TitleName=#Unknown locale [kg] [KE] TitleName=#Unknown locale [ke] [JP] TitleName=#Unknown locale [jp] [JO] TitleName=#Unknown locale [jo] [JM] TitleName=#Unknown locale [jm] [IT] TitleName=#Unknown locale [it] [IS] TitleName=#Unknown locale [is] [IR] TitleName=#Unknown locale [ir] [IQ] TitleName=#Unknown locale [iq] [IN] TitleName=#Unknown locale [in] [IL] TitleName=#Unknown locale [il] [IE] TitleName=#Unknown locale [ie] [ID] TitleName=#Unknown locale [id] [HU] TitleName=#Unknown locale [hu] [HR] TitleName=#Unknown locale [hr] [HN] TitleName=#Unknown locale [hn] [HK] TitleName=#Unknown locale [hk] [GT] TitleName=#Unknown locale [gt] [GR] TitleName=#Unknown locale [gr] [GE] TitleName=#Unknown locale [ge] [GB] TitleName=#Unknown locale [gb] [FR] TitleName=#Unknown locale [fr] [FO] TitleName=#Unknown locale [fo] [FI] TitleName=#Unknown locale [fi] [ES] TitleName=#Unknown locale [es] [EG] TitleName=#Unknown locale [eg] [EE] TitleName=#Unknown locale [ee] [EC] TitleName=#Unknown locale [ec] [DZ] TitleName=#Unknown locale [dz] [DO] TitleName=#Unknown locale [do] [DK] TitleName=#Unknown locale [dk] [DE] TitleName=#Unknown locale [de] [CZ] TitleName=#Unknown locale [cz] [CR] TitleName=#Unknown locale [cr] [CO] TitleName=#Unknown locale [co] [CN] TitleName=#Unknown locale [cn] [CL] TitleName=#Unknown locale [cl] [CH] TitleName=#Unknown locale [ch] [CA] TitleName=#Unknown locale [ca] [BZ] TitleName=#Unknown locale [bz] [BY] TitleName=#Unknown locale [by] [BR] TitleName=#Unknown locale [br] [BO] TitleName=#Unknown locale [bo] [BN] TitleName=#Unknown locale [bn] [BH] TitleName=#Unknown locale [bh] [BG] TitleName=#Unknown locale [bg] [BE] TitleName=#Unknown locale [be] [AZ] TitleName=#Unknown locale [az] [AU] TitleName=#Unknown locale [au] [AT] TitleName=#Unknown locale [at] [AR] TitleName=#Unknown locale [ar] [AM] TitleName=#Unknown locale [am] [AL] TitleName=#Unknown locale [al] [AE] TitleName=#Unknown locale [ae] [default] TitleName=#Known locale [default] - (fallback) [EN] TitleName=#Known locale [EN] - english [JA] TitleName=#Known locale [JA] - (japanese) [DE] TitleName=#Known locale [DE] - deutsch [FR] TitleName=#Known locale [FR] - francais [ES] TitleName=#Known locale [ES] - espanol [IT] TitleName=#Known locale [IT] - italiano [KO] TitleName=#Known locale [KO] - (korean) [TW] TitleName=#Known locale [TW] - (taiwanese) [BR] TitleName=#Known locale [BR] - portugues </pre> == THPS2X Syslink crash == Happens if too many servers are present (this is where data is written to driver?): <pre> Hardware watchpoint 1: *(int*)0xD004D048 Old value = 1065353216 New value = 1500647462 0x00215adf in ?? () (gdb) pint $eip Undefined command: "pint". Try "help". (gdb) print $eip $1 = (void (*)()) 0x215adf </pre> And this seems to copy server to database (this in particular copied string?): <pre> Hardware watchpoint 1: *(int*)0xf47944 Old value = 926102321 New value = 858992984 0x00156cc3 in ?? () (gdb) print $eip $2 = (void (*)()) 0x156cc3 (gdb) info reg eax 0xd0043260 -805031328 ecx 0x1d 29 edx 0x0 0 ebx 0xf20ce0 15863008 esp 0xd004324c 0xd004324c ebp 0xf20ce0 0xf20ce0 esi 0xd00432a0 -805031264 edi 0xf47948 16021832 eip 0x156cc3 0x156cc3 eflags 0x246 [ PF ZF IF ] cs 0x8 8 ss 0x10 16 ds 0x10 16 es 0x10 16 fs 0x20 32 gs 0x0 0 (gdb) x/10i $eip => 0x156cc3: rep movsl %ds:(%esi),%es:(%edi) 0x156cc5: call 0x1b9db6 0x156cca: mov 0x29b44(%ebx),%ecx 0x156cd0: mov 0x10(%esp),%edx 0x156cd4: imul $0x78,%ecx,%ecx 0x156cd7: mov %edx,0x26ca8(%ecx,%ebx,1) 0x156cde: mov 0x14(%esp),%eax 0x156ce2: mov %eax,0x26cac(%ecx,%ebx,1) 0x156ce9: mov 0x29b44(%ebx),%eax 0x156cef: mov (%ebx),%edx </pre> == Reset == There are various methods to reset an Xbox or major parts of it (successfully or not). === SMC Cold Reboot === * CPU cycles: X > 0 === SMC Warm Reboot === * CPU cycles: X > 0 === PM26 === * CPU cycles: X > 0 === RST_CNT (RST_CPU) === [https://www.intel.com/content/dam/doc/datasheet/82801ba-i-o-controller-hub-2-82801bam-i-o-controller-hub-2-mobile-datasheet.pdf equivalent docs?] === RST_CNT (RST_CPU + SYS_RST) === === RST_CNT (RST_CPU + FULL_RST) === === RST_CNT (RST_CPU + SYS_RST + FULL_RST) === * CPU cycles: 0 === Triple fault === * CPU cycles: 0{{FIXME|reason=untested}} === PCI-to-PCI bridge secondary bus reset === * CPU cycles: X > 0 ---- b348391a499083ed6d72d927b8c27c6670e33445 0 11 6850 6842 2020-04-29T18:55:34Z Billy549 2520 /* USB Adapters */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] e449c90196db4c8f4c47dac09ee44ef6d757af20 6887 6850 2020-11-09T03:26:39Z Ryzee119 2519 Add Steel Battalion bType wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 10cb57b992470ea7780a7600b0de117b5508d185 6888 6887 2020-11-09T03:45:43Z Ryzee119 2519 Add Steel Battalion XID descriptor wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 34 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 92a1481b437cd2c17504893b633c8d09aedefc95 6889 6888 2020-11-09T03:47:20Z Ryzee119 2519 Fix old error in Input report size for Steel Battalion wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 3725a1a81471df188b41762efb724eb15a2d7c72 6890 6889 2020-11-09T03:51:53Z Ryzee119 2519 Add Controller-S XID Descriptor wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} Xbox games use the full range from 0x0000 to 0xFFFF for both the left and right actuators. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] bf12e58e2ac42e6f6a469995a9f8853a3f03c089 6895 6890 2020-11-22T21:33:52Z Ryzee119 2519 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The lower 8 bits and the upper 8 bits of the rumble word are mirrored. i.e. for half rumble the console would send 0x80,0x80 to each actuator. Further testing is required to confirm this is true across all games. The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 65d75324858599be56120d451686954a1d02e475 6897 6895 2021-02-08T03:09:20Z Ryzee119 2519 /* Xbox to Controller */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 67e3a1776294f756b06a2faa96588cacc2a80507 6898 6897 2021-03-03T15:26:45Z RadWolfie 2528 add arcade stick bSubtype and list of known devices in existance wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick **; List of known devices in existence<nowiki>:</nowiki> *** Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan *** Street Fighter 15th Anniversary Edition Arcade Stick *** Gamester Xbox Arcade Stick *** Nuby Xbox Fighter Arcade Stick *** Nuby Xbox Arcade Super Stick ****: Item#<nowiki>:</nowiki>36020 *** Naki Ultimate Fighting Stick ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 3c36163868769f6bf8e35644e003c91e01255ecc 0 8 6851 6819 2020-05-04T23:38:37Z JayFoxRox 2 nvidia is having issues or taking files down; using archive.org links where possible wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth |DOT_PRODUCT_DEPTH_REPLACE_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} === 0x08: PS_TEXTUREMODES_BRDF / texbrdf === The BRDF texture shader is probably only exposed on original Xbox, but not in standard OpenGL or D3D drivers. These are some generic resources about BRDFs: * [http://www.disneyanimation.com/technology/brdf.html Walt Disney BRDF Explorer] * [https://disney-animation.s3.amazonaws.com/library/s2012_pbs_disney_brdf_notes_v2.pdf Walt Disney BRDF Paper] * [https://math.nist.gov/~FHunt/appearance/brdf.html Collection of BRDF information] * [http://www-graphics.stanford.edu/~smr/brdf/bv/ BRDF viewer]{{FIXME|reason=Find alternative; this one is hard to compile}} * [https://www.merl.com/brdf/ BRDF Database by Mitsubishi] * nvidia resources ''(The code and technique is probably not using the texture shader that is described here)'': ** [http://www.nvidia.in/attach/6670 BRDFs.pdf]{{FIXME|reason=URL dead; not in archive.org!}} / [http://www.nvidia.in/attach/6669 BRDFs.ppt]{{FIXME|reason=URL dead; not in archive.org!}} ** [https://web.archive.org/web/20191214200801/https://www.nvidia.com/attach/6568 BRDFIntro.pdf] / [https://web.archive.org/web/20191214200809/https://www.nvidia.com/attach/6569 BRDFIntro.doc] ** [https://web.archive.org/web/20191214200757/https://www.nvidia.com/attach/6567 BRDFSeparable.pdf] / [https://web.archive.org/web/20191214200753/https://www.nvidia.com/attach/6566 BRDFSeparable.doc] ** [https://web.archive.org/web/20191214200813/https://www.nvidia.com/attach/6570 brdfseparate.zip] ** [https://web.archive.org/web/20191214200819/https://www.nvidia.com/attach/6571 brdfview.zip] {{FIXME|reason=Describe Xbox specific BRDF texture shader}} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] 1d78cd45525a6c566247c74a8e82ffab23e492de 6853 6851 2020-05-06T03:37:19Z JayFoxRox 2 Found another nvidia mirror for BRDFs.pdf; added to archive.org wikitext text/x-wiki == Data types == NV_texture_shader suggests that: ''"The 8-bit and 16-bit signed fixed-point types are used for signed internal texture formats, while the 9-bit signed fixed-point type is used for register combiners computations."'' Here is a table from the GL extension: {| class="wikitable" ! floating-point !! 8-bit fixed-point !! 9-bit fixed-point !! 16-bit fixed-point |- | 1.0 || n/a || 255 || n/a |- | 0.99996... || n/a || n/a || 32767 |- | 0.99218... || 127 || n/a || n/a |- | 0.0 || 0 || 0 || 0 |- | -1.0 || -128 || -255 || -32768 |- | -1.00392... || n/a || -256 || n/a |} This means: * 8-bit fixed-point: [-128, 127] &rarr; [-128/128, 127/128] &rarr; [-1.0, 0.99218...] * 9-bit fixed-point: [-256, 255] &rarr; [-256/255, 255/255] &rarr; [-1.00392..., 1.0] * 16-bit fixed-point: [-32768, 32767] &rarr; [-32768/32768, 32767/32768] &rarr; [-1.0, 0.99996...] It is not known if the NV2A really implements these 3 datatypes. It is also not yet known how exactly conversion or negation of these types would work. == Texture Shaders == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader.txt NV_texture_shader] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader2.txt NV_texture_shader2] * [https://www.khronos.org/registry/OpenGL/extensions/NV/NV_texture_shader3.txt NV_texture_shader3]{{citation needed}} === Texturing modes === {|class="wikitable" !ID !Name !D3D name !GL Name !Stage 1 !Stage 2 !Stage 3 !Stage 4 !Notes |- |0x00 |PS_TEXTUREMODES_NONE | |NONE |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x01 |PS_TEXTUREMODES_PROJECT2D |tex |TEXTURE_2D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x02 |PS_TEXTUREMODES_PROJECT3D |tex |TEXTURE_3D |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x03 |PS_TEXTUREMODES_CUBEMAP |tex |TEXTURE_CUBE_MAP_ARB |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x04 |PS_TEXTUREMODES_PASSTHRU |texcoord |PASS_THROUGH_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x05 |PS_TEXTUREMODES_CLIPPLANE |texkill |CULL_FRAGMENT_NV |{{yes}} |{{yes}} |{{yes}} |{{yes}} | |- |0x06 |PS_TEXTUREMODES_BUMPENVMAP |texbem |OFFSET_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x07 |PS_TEXTUREMODES_BUMPENVMAP_LUM |texbeml |OFFSET_TEXTURE_2D_SCALE_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x08 |PS_TEXTUREMODES_BRDF |texbrdf | |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x09 |PS_TEXTUREMODES_DOT_ST |texm3x2tex |DOT_PRODUCT_TEXTURE_2D_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0A |PS_TEXTUREMODES_DOT_ZW |texm3x2depth |DOT_PRODUCT_DEPTH_REPLACE_NV |{{no}} |{{no}} |{{yes}} |{{yes}} | |- |0x0B |PS_TEXTUREMODES_DOT_RFLCT_DIFF |texm3x3diff |DOT_PRODUCT_DIFFUSE_CUBE_MAP_NV{{citation needed}} |{{no}} |{{no}} |{{yes}} |{{no}} | |- |0x0C |PS_TEXTUREMODES_DOT_RFLCT_SPEC |texm3x3vspec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0D |PS_TEXTUREMODES_DOT_STR_3D |texm3x3tex |DOT_PRODUCT_TEXTURE_3D_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0E |PS_TEXTUREMODES_DOT_STR_CUBE |texm3x3vspec |DOT_PRODUCT_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |- |0x0F |PS_TEXTUREMODES_DPNDNT_AR |texreg2ar |DEPENDENT_AR_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x10 |PS_TEXTUREMODES_DPNDNT_GB |texreg2gb |DEPENDENT_GB_TEXTURE_2D_NV |{{no}} |{{yes}} |{{yes}} |{{yes}} | |- |0x11 |PS_TEXTUREMODES_DOTPRODUCT |texm3x3pad<br>texm3x2pad |DOT_PRODUCT_NV |{{no}} |{{yes}} |{{yes}} |{{no}} | |- |0x12 |PS_TEXTUREMODES_DOT_RFLCT_SPEC_CONST |texm3x3spec |DOT_PRODUCT_CONST_EYE_REFLECT_CUBE_MAP_NV |{{no}} |{{no}} |{{no}} |{{yes}} | |} === 0x08: PS_TEXTUREMODES_BRDF / texbrdf === The BRDF texture shader is probably only exposed on original Xbox, but not in standard OpenGL or D3D drivers. These are some generic resources about BRDFs: * [http://www.disneyanimation.com/technology/brdf.html Walt Disney BRDF Explorer] * [https://disney-animation.s3.amazonaws.com/library/s2012_pbs_disney_brdf_notes_v2.pdf Walt Disney BRDF Paper] * [https://math.nist.gov/~FHunt/appearance/brdf.html Collection of BRDF information] * [http://www-graphics.stanford.edu/~smr/brdf/bv/ BRDF viewer]{{FIXME|reason=Find alternative; this one is hard to compile}} * [https://www.merl.com/brdf/ BRDF Database by Mitsubishi] * nvidia resources ''(The code and technique is probably not using the texture shader that is described here)'': ** [https://web.archive.org/web/20200506033455/http://developer.download.nvidia.com/assets/gamedev/docs/BRDFs.pdf BRDFs.pdf] / [http://www.nvidia.in/attach/6669 BRDFs.ppt]{{FIXME|reason=URL dead; not in archive.org!}} ** [https://web.archive.org/web/20191214200801/https://www.nvidia.com/attach/6568 BRDFIntro.pdf] / [https://web.archive.org/web/20191214200809/https://www.nvidia.com/attach/6569 BRDFIntro.doc] ** [https://web.archive.org/web/20191214200757/https://www.nvidia.com/attach/6567 BRDFSeparable.pdf] / [https://web.archive.org/web/20191214200753/https://www.nvidia.com/attach/6566 BRDFSeparable.doc] ** [https://web.archive.org/web/20191214200813/https://www.nvidia.com/attach/6570 brdfseparate.zip] ** [https://web.archive.org/web/20191214200819/https://www.nvidia.com/attach/6571 brdfview.zip] {{FIXME|reason=Describe Xbox specific BRDF texture shader}} == Register combiners == The NV2A implements at least parts of the following OpenGL extensions: * [https://www.opengl.org/registry/specs/NV/register_combiners.txt NV_register_combiners] * [https://www.opengl.org/registry/specs/NV/register_combiners2.txt NV_register_combiners2] There's some additional features and oddities. === DISCARD and ZERO are the same register === On NV2A the DISCARD and ZERO register are the same index: writes are discarded / reads return zero. This is different from NV_register_combiners where 2 different constants are used. === Encoding of input swizzle === NV2A uses a single ALPHA flag to specify the swizzle of inputs: * 0 for <code>.rgb</code> (RGB portion only) and <code>.b</code> (ALPHA portion only). * 1 for <code>.aaa</code> (RGB portion only) and <code>.a</code> (ALPHA portion only). This is different from NV_register_combiners where each swizzle has its own constant. === Per stage constant-colors === The combiner setup switches between using the same <code>const0</code> and <code>const1</code> for all stages (<code>FACTOR#_SAME_FACTOR_ALL</code>), or using different constant-colors per stage (<code>FACTOR#_EACH_STAGE</code>). On NV2A, the final-combiner does always have unique constants (even using <code>FACTOR#_SAME_FACTOR_ALL</code>) from all other stages. If <code>FACTOR#_SAME_FACTOR_ALL</code> is used, the constant-colors for all other stages are taken from the very first stage. This setting can be controlled independently for <code>const0</code> and <code>const1</code>. This is different from NV_register_combiners2. If that GL extension isn't available / enabled, then the constants are shared between general combiner stages and the final combiner (which doesn't have unique colors then). Additionally, the GL extension can only control this for both constant-colors at the same time. === Encoding of constant-colors === On NV2A, the constant-colors are encoded as 8-bit unsigned int values, packed into a 32-bit ARGB value (<code>(a<<24 | r<<16 | g<<8 | b)</code>). This is different from NV_register_combiners where constant-colors are specified as floats in RGBA format. === BLUETOALPHA in RGB portion === NV2A has a special flag to write the blue result (RGB portion) of the A/B and C/D computations to the alpha channel of the RGB portion output register. There's no such option for the AB/CD result. {{FIXME|reason=Document specifics, tests proposed on https://github.com/JayFoxRox/nxdk/pull/33}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the RGB portion always writes to <code>.rgb</code> of the output. === Special "or" operation (MUX) modifier === NV2A has a special flag to switch between MSB and LSB{{FIXME|reason=Unconfirmed / untested - doesn't make a lot of sense}} for the special "or" operation (MUX). {{FIXME|reason=Check the comparison type}} This feature isn't available in GL, probably. This is different from NV_register_combiners where the special "or" operation (MUX) is always doing: <code>spare0_alpha >= 0.5 ? C*D : A*B</code>. == Debugging == PIX from the Microsoft XDK provides great debugging capabilities. === References and links === * [http://developer.download.nvidia.com/assets/gamedev/docs/ProgrammableTextureBlending.pdf Overview about programmable texture blending] <!-- Mirror: https://www.nvidia.com/object/programmable_texture_blending.html --> * [http://developer.download.nvidia.com/assets/gamedev/docs/combiners.pdf Overview of register combiners] * [https://github.com/XboxDev/nxdk/blob/77b5de45f0c64e70f2ff68248873448d5edccc71/tools/fp20compiler/ps1.0_program.cpp#L227 Code from nvparse (NVIDIA SDK 9.52) in nxdk, which handles shader to OpenGL conversion] * http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf [[Category:NV2A]] 9ea8b893374f4861638e8731b213c2bf3269ab0c 0 9 6852 6813 2020-05-04T23:42:50Z JayFoxRox 2 nvidia is having issues or taking files down; using archive.org links where possible wikitext text/x-wiki The Xbox implements the 2 GL extensions [https://www.opengl.org/registry/specs/NV/vertex_program.txt NV_vertex_program] and [https://www.opengl.org/registry/specs/NV/vertex_program1_1.txt NV_vertex_program1_1] (with some modifications). This article will mainly focus on actual encoding on hardware as the behaviour is mostly outlined in those GL extensions already. == Operating modes == * Fixed / Programmable * Writeable / Read-Only constants * Low-constants only / all constants * Vertex processing / State program == Registers == === Input registers === There are 16 input registers v[0] to v[15]. They normally [[NV2A/Vertex attributes|map to the vertex attributes]]. However, in the case of vertex state programs, v[0] is fed from LAUNCH_DATA (PGRAPH Methods 0x1E80, 0x1E84, 0x1E88, 0x1E8C for XYZW respectively) instead. === Output registers === 11 output registers o[<RegName>] (initialized to XYZ=0x00000000 W=0x3F800000). {|class="wikitable" |+Output registers |- !Index !GL Name !D3D Name !Meaning |- |0 |HPOS |oPos |Homogeneous clip space position |- |3 |COL0 |oD0 |Primary color (front-facing) |- |4 |COL1 |oD1 |Secondary color (front-facing) |- |5 |FOGC |oFog |Fog coordinate |- |6 |PSIZ |oPts |Point size |- |7 |BFC0 |oB0 |Back-facing primary color |- |8 |BFC1 |oB1 |Back-facing secondary color |- |9 |TEX0 |oT0 |Texture coordinate set 0 |- |10 |TEX1 |oT1 |Texture coordinate set 1 |- |11 |TEX2 |oT2 |Texture coordinate set 2 |- |12 |TEX3 |oT3 |Texture coordinate set 3 |} === Address register === A0.x exists as documented in the GL extension. === Temporary registers === There are 12 temporary registers: R0 to R11 (initialized to XYZW=0x00000000), as documented in the GL extension. Additionally, o[HPOS] is mirrored as R12 and can be used as source operand; so effectively you have 13 temporaries === Constant space === There are 192 constant registers in two seperate blocks with 96 constants each. They can be accessed through the PGRAPH RDI: select=0x17. Each constant slot is 4x DWORD, ordered as WZYX. Alternatively they can be uploaded through PGRAPH method [FIXME], with 4x DWORD, ordered XYZW. In nvidia vertex programs only 96 constants are normally accessible. Microsoft exposed the 96 additional constant registers in D3D shaders through c[-96] to c[-1]. This documentation uses the GL terminology instead and expose the new registers as c[96] to c[191]. This means c[0] to c[191] valid. == Instructions == In total, there are 136 instruction slots. Each slot consists of 16 bytes, we consider those as 4 seperate little-endian DWORDS describing the operation. Word 0 is inused. {| class="wikitable" |+Fields |- !Meaning !Word !Offset (bits) !Size (bits) |- |ILU Operation |1 |25 |3 |- |MAC Operation |1 |21 |4 |- |Constant index |1 |13 |8 |- |Input index |1 |9 |4 |- |Source 1 negate |1 |8 |1 |- |Source 1 swizzle X |1 |6 |2 |- |Source 1 swizzle Y |1 |4 |2 |- |Source 1 swizzle Z |1 |2 |2 |- |Source 1 swizzle W |1 |0 |2 |- |Source 1 register |2 |28 |4 |- |Source 1 mux |2 |26 |2 |- |Source 2 negate |2 |25 |1 |- |Source 2 swizzle X |2 |23 |2 |- |Source 2 swizzle Y |2 |21 |2 |- |Source 2 swizzle Z |2 |19 |2 |- |Source 2 swizzle W |2 |17 |2 |- |Source 2 register |2 |13 |4 |- |Source 2 mux |2 |11 |2 |- |Source 3 negate |2 |10 |1 |- |Source 3 swizzle X |2 |8 |2 |- |Source 3 swizzle Y |2 |6 |2 |- |Source 3 swizzle Z |2 |4 |2 |- |Source 3 swizzle W |2 |2 |2 |- |Source 3 register (Hi) |2 |0 |2 |- |Source 3 register (Lo) |3 |30 |2 |- |Source 3 mux |3 |28 |2 |- |Destination MAC mask |3 |24 |4 |- |Destination temporary register |3 |20 |4 |- |Destination ILU mask |3 |16 |4 |- |Destination overall mask |3 |12 |4 |- |Destination select |3 |11 |1 |- |Destination output register |3 |3 |8 |- |Destination mux |3 |2 |1 |- |Relative constant addressing |3 |1 |1 |- |Final instruction marker (EOF) |3 |0 |1 |} {| class="wikitable" |+Swizzle table |- !Value !Meaning |- |0 |X |- |1 |Y |- |2 |Z |- |3 |W |} === Functional units === ==== Inverse Logic Unit (ILU) ==== {| class="wikitable" |+ILU Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |RCP |- |3 |RCC |- |4 |RSQ |- |5 |EXP |- |6 |LOG |- |7 |LIT |} ==== Multiply-Accumulate (MAC) ==== {| class="wikitable" |+MAC Operations |- !Value !Meaning |- |0 |NOP |- |1 |MOV |- |2 |MUL |- |3 |ADD |- |4 |MAD |- |5 |DP3 |- |6 |DPH |- |7 |DP4 |- |8 |DST |- |9 |MIN |- |10 |MAX |- |11 |SLT |- |12 |SGE |- |13 |ARL |} == Related links == * nvidia resources ** [https://web.archive.org/web/20191214200729/https://www.nvidia.com/attach/6559 WhereIsThatVertexShaderInstruction.pdf] / [https://web.archive.org/web/20191214200738/https://www.nvidia.com/attach/6560 WhereIsThatVertexShaderInstruction.doc] * [https://github.com/envytools/envytools/blob/master/nvhw/pgraph_celsius_xfrm.c Code which appears to implement bit-accurate emulation of some instructions]{{FIXME|reason=Unconfirmed, needs testing}} [[Category:NV2A]] e725426fb612c2045318cf8ce484ac0f8ce1d0c3 0 3751 6854 6832 2020-05-11T14:01:14Z Derf 2525 /* Attack ideas */ Credit to /r/OriginalXbox wiki for DVD demo info. wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-ROM. The XBE extracts the actual game XBE (which is signed to run from HDD) onto the cache drives. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run a softmod from DVD+R. In order to make a bootable DVD+R, you must have a DVD burner that - either natively, or by custom firmware - can set booktype to DVD-ROM. From a small sample size, it appears that the drive must also be capable of setting the layertype on the disc to "read-only", which is a very rarely used security feature apparently only present for Xbox, Xbox 360, and an Audi navigation system. Layertype is a rather unknown thing, and it appears DVD burners were accidentally set with this from factory, but regular burner drives could potentially have the layertype modified using custom firmware (as the Burnermax payload does for dual layer DVDs). |- |'''Hulk (Special Edition)''' UPC 2519224892 [[The Hulk]] This DVD is unique and contains a partial dashboard (5860 with 4931? libraries) with an xboxdash.xbe signed to run from DVD-ROM. The default.xbe calls this dashboard XBE with parameters to play a video on the disc. By swapping this XBE with the default.xbe, you can boot the dashboard to a blank sphere. By placing dashboard 4920's mainmenu5.xip in the xboxdash folder, you can restore the orb and menu options, but selecting an option will show a blank sphere after the zoom animation. Untested |- |'''Star Wars: Clone Wars - Volume One''' UPC 2454317005 [[Republic Commando]] Untested |- |'''Star Wars: Clone Wars - Volume Two''' UPC 24543214137 [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' UPC 5039036023238 [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' UPC 24543123415 or 5039036017374 [[Star Wars Battlefront]] Untested |- |'''Star Wars Trilogy DVD (Widescreen theatrical edition)''' UPC 24543559856 [[Lego Star Wars 2]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' UPC 5050582274639 [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' UPC 25192031229 [[Doom 3]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' UPC 786936265262 [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' UPC 24543193845 [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' UPC 25192326622 or 25192586125 [[Van Helsing]] Untested |- |'''The Godfather''' UPC not 5014437812834 nor 14633165401 nor 014633165401 SPPV and Atreyu187 claim this exists and contains an XBE capable of chainloading any signed game XBE. No evidence exists of this actually existing on the DVD or game bonus disc, but it is listed here for posterity. [[The Godfather: The Game]] |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] c3c968cbadf2621df33a08a2ce9ab312f9ff8570 6855 6854 2020-05-11T14:04:50Z Derf 2525 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-ROM. The XBE extracts the actual game XBE (which is signed to run from HDD) onto the cache drives. If we can find a vulnerability in one of them (loaded files), we could possibly take over the entire system and run a softmod from DVD+R. In order to make a bootable DVD+R, you must have a DVD burner that - either natively, or by custom firmware - can set booktype to DVD-ROM. From a small sample size, it appears that the drive must also be capable of setting the layertype on the disc to "read-only", which is a very rarely used security feature apparently only present for Xbox, Xbox 360, and an Audi navigation system. Layertype is a rather unknown thing, and it appears DVD burners were accidentally set with this from factory, but regular burner drives could potentially have the layertype modified using custom firmware (as the Burnermax payload does for dual layer DVDs). |- |'''Hulk (Special Edition)''' UPC 2519224892 [[The Hulk]] This DVD is unique and contains a partial dashboard (5860 with 4931? libraries) with an xboxdash.xbe signed to run from DVD-ROM. The default.xbe calls this dashboard XBE with parameters to play a video on the disc. By swapping this XBE with the default.xbe, you can boot the dashboard to a blank sphere. By placing dashboard 4920's mainmenu5.xip in the xboxdash folder, you can restore the orb and menu options, but selecting an option will show a blank sphere after the zoom animation. All xips are loaded from DVD and are hash checked. Font/audio files are loaded from HDD and hash checked. Aside from xboxdash.xbe, default.xbe will load video_ts.ifo and an audio file from cdrom, so a vulnerability could be found in those. Untested |- |'''Star Wars: Clone Wars - Volume One''' UPC 2454317005 [[Republic Commando]] Untested |- |'''Star Wars: Clone Wars - Volume Two''' UPC 24543214137 [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' UPC 5039036023238 [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' UPC 24543123415 or 5039036017374 [[Star Wars Battlefront]] Untested |- |'''Star Wars Trilogy DVD (Widescreen theatrical edition)''' UPC 24543559856 [[Lego Star Wars 2]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' UPC 5050582274639 [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' UPC 25192031229 [[Doom 3]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' UPC 786936265262 [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' UPC 24543193845 [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' UPC 25192326622 or 25192586125 [[Van Helsing]] Untested |- |'''The Godfather''' UPC not 5014437812834 nor 14633165401 nor 014633165401 SPPV and Atreyu187 claim this exists and contains an XBE capable of chainloading any signed game XBE. No evidence exists of this actually existing on the DVD or game bonus disc, but it is listed here for posterity. [[The Godfather: The Game]] |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 394217521e9cd70d903ab28ce3911faa8dcba10f 6856 6855 2020-05-11T14:05:48Z Derf 2525 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-ROM. The XBE extracts the actual game XBE (which is signed to run from HDD) onto the cache drives. If we can find a vulnerability in one of them (loaded files), we could possibly take over the entire system and run a softmod from DVD+R. In order to make a bootable DVD+R, you must have a DVD burner that - either natively, or by custom firmware - can set booktype to DVD-ROM. From a small sample size, it appears that the drive must also be capable of setting the layertype on the disc to "read-only", which is a very rarely used security feature apparently only present for Xbox, Xbox 360, and an Audi navigation system. Layertype is a rather unknown thing, and it appears DVD burners were accidentally set with this from factory, but regular burner drives could potentially have the layertype modified using custom firmware (as the Burnermax payload does for dual layer DVDs). |- |'''Hulk (Special Edition)''' UPC 2519224892 [[The Hulk]] This DVD is unique and contains a partial dashboard (5860 with 4931? libraries) with an xboxdash.xbe signed to run from DVD-ROM. The default.xbe calls this dashboard XBE with parameters to play a video on the disc. By swapping this XBE with the default.xbe, you can boot the dashboard to a blank sphere. By placing dashboard 4920's mainmenu5.xip in the xboxdash folder, you can restore the orb and menu options, but selecting an option will show a blank sphere after the zoom animation. All xips are loaded from DVD and are hash checked. Font/audio files are loaded from HDD and hash checked. Aside from xboxdash.xbe, default.xbe will load video_ts.ifo and an audio file from cdrom, so a vulnerability could be found in those. Untested |- |'''Star Wars: Clone Wars - Volume One''' UPC 2454317005 [[Republic Commando]] Untested |- |'''Star Wars: Clone Wars - Volume Two''' UPC 24543214137 [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' UPC 5039036023238 [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' UPC 24543123415 or 5039036017374 [[Star Wars Battlefront]] Untested |- |'''Star Wars Trilogy DVD (Widescreen theatrical edition)''' UPC 24543559856 [[Lego Star Wars 2]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' UPC 5050582274639 [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' UPC 25192031229 [[Doom 3]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' UPC 786936265262 [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' UPC 24543193845 [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' UPC 25192326622 or 25192586125 [[Van Helsing]] Untested |- |'''The Godfather''' UPC not 5014437812834 nor 14633165401 nor 014633165401 SPPV and Atreyu187 claim this exists and contains an XBE capable of chainloading any signed game XBE. No evidence exists of this actually existing on the DVD or game bonus disc, but it is listed here for posterity. [[The Godfather: The Game]] |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 260df4098f139446740686907c3842c57d303b23 6857 6856 2020-05-11T14:06:09Z Derf 2525 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-ROM. The XBE extracts the actual game XBE (which is signed to run from HDD) onto the cache drives. If we can find a vulnerability in one of them (loaded files), we could possibly take over the entire system and run a softmod from DVD+R. In order to make a bootable DVD+R, you must have a DVD burner that - either natively, or by custom firmware - can set booktype to DVD-ROM. From a small sample size, it appears that the drive must also be capable of setting the layertype on the disc to "read-only", which is a very rarely used security feature apparently only present for Xbox, Xbox 360, and an Audi navigation system. Layertype is a rather unknown thing, and it appears DVD burners were accidentally set with this from factory, but regular burner drives could potentially have the layertype modified using custom firmware (as the Burnermax payload does for dual layer DVDs). |- |'''Hulk (Special Edition)''' UPC 2519224892 [[The Hulk]] This DVD is unique and contains a partial dashboard (5860 with 4931? libraries) with an xboxdash.xbe signed to run from DVD-ROM. The default.xbe calls this dashboard XBE with parameters to play a video on the disc. By swapping this XBE with the default.xbe, you can boot the dashboard to a blank sphere. By placing dashboard 4920's mainmenu5.xip in the xboxdash folder, you can restore the orb and menu options, but selecting an option will show a blank sphere after the zoom animation. All xips are loaded from DVD and are hash checked. Font/audio files are loaded from HDD and hash checked. Aside from xboxdash.xbe, default.xbe will load video_ts.ifo and an audio file from cdrom, so a vulnerability could be found in those. Untested |- |'''Star Wars: Clone Wars - Volume One''' UPC 2454317005 [[Republic Commando]] Untested |- |'''Star Wars: Clone Wars - Volume Two''' UPC 24543214137 [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' UPC 5039036023238 [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' UPC 24543123415 or 5039036017374 [[Star Wars Battlefront]] Untested |- |'''Star Wars Trilogy DVD (Widescreen theatrical edition)''' UPC 24543559856 [[Lego Star Wars 2]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' UPC 5050582274639 [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' UPC 25192031229 [[Doom 3]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' UPC 786936265262 [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' UPC 24543193845 [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' UPC 25192326622 or 25192586125 [[Van Helsing]] Untested |- |'''The Godfather''' UPC not 5014437812834 nor 14633165401 nor 014633165401 SPPV and Atreyu187 claim this exists and contains an XBE capable of chainloading any signed game XBE. No evidence exists of this actually existing on the DVD or game bonus disc, but it is listed here for posterity. [[The Godfather: The Game]] |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] fc60ff2ff3422de4f6902cca0b8c69ba7abce08e 6858 6857 2020-05-11T14:39:05Z Derf 2525 wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-ROM. The XBE extracts the actual game XBE (which is signed to run from HDD) onto the cache drives. If we can find a vulnerability in one of them (loaded files), we could possibly take over the entire system and run a softmod from DVD+R. In order to make a bootable DVD+R, you must have a DVD burner that - either natively, or by custom firmware - can set booktype to DVD-ROM. From a small sample size, it appears that the drive must also be capable of setting the layertype on the disc to "read-only", which is a very rarely used security feature apparently only present for Xbox, Xbox 360, and an Audi navigation system. Layertype is a rather unknown thing, and it appears DVD burners were accidentally set with this from factory, but regular burner drives could potentially have the layertype modified using custom firmware (as the Burnermax payload does for dual layer DVDs). |- |'''Hulk (Special Edition)''' UPC 2519224892 [[The Hulk]] This DVD is unique and contains a partial dashboard (5860 with 4831 libraries) with an xboxdash.xbe signed to run from DVD-ROM. The default.xbe calls this dashboard XBE with parameters to play a video on the disc. By swapping this XBE with the default.xbe, you can boot the dashboard to a blank sphere. By placing dashboard 4920's mainmenu5.xip in the xboxdash folder, you can restore the orb and menu options, but selecting an option will show a blank sphere after the zoom animation. All xips are loaded from DVD and are hash checked. Font/audio files are loaded from HDD and hash checked. Aside from xboxdash.xbe, default.xbe will load video_ts.ifo and an audio file from cdrom, so a vulnerability could be found in those. Untested |- |'''Star Wars: Clone Wars - Volume One''' UPC 2454317005 [[Republic Commando]] Untested |- |'''Star Wars: Clone Wars - Volume Two''' UPC 24543214137 [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' UPC 5039036023238 [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' UPC 24543123415 or 5039036017374 [[Star Wars Battlefront]] Untested |- |'''Star Wars Trilogy DVD (Widescreen theatrical edition)''' UPC 24543559856 [[Lego Star Wars 2]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' UPC 5050582274639 [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' UPC 25192031229 [[Doom 3]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' UPC 786936265262 [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' UPC 24543193845 [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' UPC 25192326622 or 25192586125 [[Van Helsing]] Untested |- |'''The Godfather''' UPC not 5014437812834 nor 14633165401 nor 014633165401 SPPV and Atreyu187 claim this exists and contains an XBE capable of chainloading any signed game XBE. No evidence exists of this actually existing on the DVD or game bonus disc, but it is listed here for posterity. [[The Godfather: The Game]] |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 1fd369538fc6b59ed8f489b448743d32527c6278 0 3829 6859 6557 2020-05-21T01:55:51Z Billy549 2520 Add link to PCBs wikitext text/x-wiki The Xbox Live Communicator is the headset which is used for Xbox Live. [[File:Xbox_Live_Communicator.png|thumb|200px|Headset / Xbox Live Communicator]] == Protocol == === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 45 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Microphone === {{FIXME}} === Speaker === {{FIXME}} ==== Links ==== * [https://github.com/JayFoxRox/xbox-tools/tree/4bc808e187311010f850d7fbd9af4b76bed90727/communicator-tool Code for accessing the communicator microphone and speaker] * [https://imgur.com/gallery/mJmP5Ys Billy549's CC-BY-SA shots of the internal PCB] d95748c2a7d37448a99d2116421ba0826917ef94 6860 6859 2020-05-21T02:19:20Z Billy549 2520 Add data sheet for UAC 3556B wikitext text/x-wiki The Xbox Live Communicator is the headset which is used for Xbox Live. [[File:Xbox_Live_Communicator.png|thumb|200px|Headset / Xbox Live Communicator]] == Protocol == === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 45 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Microphone === {{FIXME}} === Speaker === {{FIXME}} ==== Links ==== * [https://github.com/JayFoxRox/xbox-tools/tree/4bc808e187311010f850d7fbd9af4b76bed90727/communicator-tool Code for accessing the communicator microphone and speaker] * [https://imgur.com/gallery/mJmP5Ys Billy549's CC-BY-SA shots of the internal PCB] * [https://web.archive.org/web/20200521011406/http://www.kako.com/neta/2005-009/uac3556b.pdf Datasheet for UAC 3556B (close to the 3560B that the Xbox Communicator uses] 70a7ed02b35abd1a0101701c1f77ef6639796da3 6865 6860 2020-05-22T21:23:23Z Billy549 2520 Add PCB images directly on-wiki, remove Imgur link wikitext text/x-wiki The Xbox Live Communicator is the headset which is used for Xbox Live. [[File:Xbox_Live_Communicator.png|thumb|200px|Headset / Xbox Live Communicator]] [[File:XBCommunicator-front.jpg|thumb|200px|PCB Front]] [[File:XBCommunicator-back.jpg|thumb|200px|PCB Back]] == Protocol == === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 45 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Microphone === {{FIXME}} === Speaker === {{FIXME}} ==== Links ==== * [https://github.com/JayFoxRox/xbox-tools/tree/4bc808e187311010f850d7fbd9af4b76bed90727/communicator-tool Code for accessing the communicator microphone and speaker] * [https://web.archive.org/web/20200521011406/http://www.kako.com/neta/2005-009/uac3556b.pdf Datasheet for UAC 3556B (close to the 3560B that the Xbox Communicator uses] 9b0d99c918ff4bc4b4de6123611614897f59bfff 0 3674 6861 6752 2020-05-21T06:18:17Z Redherring32 2513 Editors to clarify that memory can only be upgrades on pre-1.6 boards. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 2e457ca3f878467ce62d55fcf7a0d91af0d9ca8e 6862 6861 2020-05-21T06:18:47Z Redherring32 2513 wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 47490bed95fdbd3481a5db2a14e4d265a4ade09f 6 3998 6863 2020-05-22T21:17:59Z Billy549 2520 Back shot of the XBCommunicator - licensed by Billy549 under CC-BY-SA 4.0 wikitext text/x-wiki Back shot of the XBCommunicator - licensed by Billy549 under CC-BY-SA 4.0 f58ba70e75872bfc4cb387b79eb2c0d4b503c881 6 3999 6864 2020-05-22T21:20:06Z Billy549 2520 Front shot of the XBCommunicator - licensed by Billy549 under CC-BY-SA 4.0 wikitext text/x-wiki Front shot of the XBCommunicator - licensed by Billy549 under CC-BY-SA 4.0 1106e6bab106d69bdfbefa04339e461d2ec4e79d 0 3672 6866 6280 2020-05-26T14:31:12Z JayFoxRox 2 Add skeptical note about 4132 / 4134 wikitext text/x-wiki The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form. On a standard Xbox, the BIOS image is stored in the [[Flash ROM]]. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running: <pre> $ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad </pre> You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times. == Components == The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences. {| class="wikitable" ! ! 3944 !! 4034 !! 4134{{FIXME|reason=Some sources claim there is 4132; however, neither 4134 or 4132 are listed in redump. So this might not be a real MS bios}} !! 4817 !! 5101 !! 5530 !! 5713 !! 5838 |- ! NV2A Initialization Table | 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 |- ! MCPX Initialization Table | 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 |- ! X-Codes | 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 |- ! Copyright String | 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC |- ! Kernel | 0x0619C || || || || || || || |- ! Kernel Data Segment | 0x3944C || || || || || || || |- ! 2BL <br> ''Always 0x6000 bytes'' | 0x39E00 || 0x39E00 || 0x39E00 || || || || || |- ! FBL <br> ''Always 0x2880 bytes'' | || || || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 |- ! Decoy Boot Loader | 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 |} For information how these sections are used, see [[Boot Process]]. === NV2A Initialization Table === The first DWORD is a pointer to a table of values that the NV2A northbridge uses to initialize itself, but with the least-significant bit always set to 1 (likely some sort of sanity check). The second DWORD is the unmodified table pointer. On all Xbox BIOS, the NV2A initialization table is always at file offset 8, virtual address 0xFF000008. The first DWORD of the NV2A initialization table is the magic number 0x2B16D065 (called the "boot header"). The purpose of the remaining values in the table is unknown{{FIXME}}. === MCPX Initialization Table === This is a table of values used to initialize the MCPX southbridge. It ''must'' be placed at offset 0x70 in the ROM image. === xcodes === These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are: The xcodes in the BIOS versions 3944, 4034, 4134 all start with: <code>04 10 08 00 80 01 80 00 00</code> The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: <code>04 84 08 00 80 01 80 00 00</code> This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX. Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS. === Copyright String === Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long). === Decoy bootloader === This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms. == See Also == [[BIOS Dumping]] == References == * [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project] 1a0e1189797243a9bdaa6ac9bcd608585fa8e5a0 0 3831 6867 6415 2020-06-02T09:12:32Z Teufelchen 2518 Fix 404 GitHub link wikitext text/x-wiki XTF is a font file format used in the [[Dashboard]]. It became famous for being [[Exploits#Font hacks|exploited]]. == Dashboard fonts == The fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] for use in the Xbox [[Dashboard]] as well as for promotional materials. The XTF versions of these fonts contain 7365 glyphs each. === Xbox.xtf === [[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]] A monospace font. <div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div> === XBox Book.xtf === <div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div> == File format == * 4 byte (magic) * 4 byte (length prefix for following string) * zero-terminated string with given buffer length (font-name) * [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs) * For each cGlyphsSupported: ** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph) ** 4 byte (Offset of glyph in file) * For each GLYPHSET range ** For each glyph in this range *** 2 byte (Index count) *** 2 byte (Vertex count) *** For each index: **** 2 byte (Vertex index) *** For each vertex: **** 4 byte float (X-coordinate) **** 4 byte float (Y-coordinate) The mesh data is stored as triangle list. 3 indices per triangle. {{FIXME|reason=Confirm these findings and format them better}} == Links == * [https://github.com/XboxDev/xtf-converter A tool to convert XTF fonts to SVG fonts] [[Category:Fileformats]] 419d8fd8b21811f0253434bfa52ef78cb2a0c6a7 0 3742 6868 6731 2020-06-19T06:23:32Z Ernegien 2491 /* Checksum Algorithm */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings * 0x00080000 = 480p * 0x00020000 = 720p * 0x00040000 = 1080i * 0x00010000 = Widescreen{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00100000 = Letterbox{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00400000 = 60Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} * 0x00800000 = 50Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} |- | 0x98 | 0x9B | Audio Settings * 0x00000000 = Stereo * 0x00000001 = Mono * 0x00000002 = Surround * 0x00010000 = Enable AC3 * 0x00020000 = Enable DTS |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal >> 8); } free(CRC_Data); return *(uint32_t*)&checksum; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 4dedd3d35a8cf7c6a19f883f71e4ca169044a186 6869 6868 2020-06-19T06:25:25Z Ernegien 2491 /* Checksum Algorithm */ wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings * 0x00080000 = 480p * 0x00020000 = 720p * 0x00040000 = 1080i * 0x00010000 = Widescreen{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00100000 = Letterbox{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00400000 = 60Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} * 0x00800000 = 50Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} |- | 0x98 | 0x9B | Audio Settings * 0x00000000 = Stereo * 0x00000001 = Mono * 0x00000002 = Surround * 0x00010000 = Enable AC3 * 0x00020000 = Enable DTS |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal >> 8); } free(CRC_Data); return *(uint32_t*)&crc; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip with a Raspberry Pi] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 65a166518e5d3c74150521c18e5945769716b6e8 6876 6869 2020-08-12T21:33:37Z JayFoxRox 2 Added VGA port dumping method wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings * 0x00080000 = 480p * 0x00020000 = 720p * 0x00040000 = 1080i * 0x00010000 = Widescreen{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00100000 = Letterbox{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00400000 = 60Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} * 0x00800000 = 50Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} |- | 0x98 | 0x9B | Audio Settings * 0x00000000 = Stereo * 0x00000001 = Mono * 0x00000002 = Surround * 0x00010000 = Enable AC3 * 0x00020000 = Enable DTS |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC HDD Key == The HMAC HDD Key is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal >> 8); } free(CRC_Data); return *(uint32_t*)&crc; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip using a Raspberry Pi] * [https://mehmedbasic.dk/post/xbox-eeprom/ Read/Write an original Xbox EEPROM using a VGA port] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 3824bc2fe9d017100a8e2dfd9c9aa04dcfb43463 6877 6876 2020-08-20T01:22:37Z KaosEngineer 2482 /* The HMAC SHA1 Hash */ It's not the HMAC HDD Key but the HMAC SHA1 Hash computed across the first 48 bytes which includes the RC4 encrypted HDD Key, etc. wikitext text/x-wiki The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using [[Kernel/XboxEEPROMKey]]. == Contents == {| class="wikitable" ! Start !! End !! Notes |- | 0x00 | 0x13 | HMAC_SHA1 Hash |- | 0x14 | 0x1B | RC4 Encrypted Confounder ?? |- | 0x1C | 0x2B | RC4 Encrypted HDD key |- | 0x2C | 0x2F | RC4 Encrypted Region code * 0x00000001 = North America * 0x00000002 = Japan * 0x00000004 = Europe & Australia * 0x80000000 = Manufacturing plant |- | 0x30 | 0x33 | Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)^* |- | 0x34 | 0x3F | Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN) |- | 0x40 | 0x45 | Ethernet MAC address (Microsoft Xbox - 00:50:F2:xx:xx:xx) This is the MAC address of the Ethernet hardware, which has been [https://web.archive.org/web/20100617020733/http://standards.ieee.org/regauth/oui/oui_public.txt issued by the IEEE]. |- | 0x46 | 0x47 | Unknown Padding ? |- | 0x48 | 0x57 | Online Key ? |- | 0x58 | 0x5B | Video Standard * 0x00000000 = not set (INVALID) * 0x00400100 = NTSC-M * 0x00400200 = NTSC-J * 0x00800300 = PAL-I * 0x00400400 = PAL-M |- | 0x5C | 0x5F | Unknown Padding ? |- | 0x60 | 0x63 | Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)^* |- | 0x64 | 0x67 | Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x00000168) |- | 0x68 | 0x6B | Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST) |- | 0x6C | 0x6F | Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT) |- | 0x70 | 0x77 | Unknown Padding ? |- | 0x78 | 0x7B | Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x7C | 0x7F | Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour) |- | 0x80 | 0x87 | Unknown Padding ? |- | 0x88 | 0x8B | Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust |- | 0x8C | 0x8F | Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust |- | 0x90 | 0x93 | Language ID (0 = not set) * 0x00000001 = English * 0x00000002 = Japanese * 0x00000003 = German * 0x00000004 = French * 0x00000005 = Spanish * 0x00000006 = Italian * 0x00000007 = Korean * 0x00000008 = Chinese * 0x00000009 = Portuguese |- | 0x94 | 0x97 | Video Settings * 0x00080000 = 480p * 0x00020000 = 720p * 0x00040000 = 1080i * 0x00010000 = Widescreen{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00100000 = Letterbox{{FIXME|reason=What happens if Widescreen and letterbox are enabled at the same time? Can this happen?}} * 0x00400000 = 60Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} * 0x00800000 = 50Hz{{FIXME|reason=Unconfirmed; Also, what happens if both refresh rates are disabled?}} |- | 0x98 | 0x9B | Audio Settings * 0x00000000 = Stereo * 0x00000001 = Mono * 0x00000002 = Surround * 0x00010000 = Enable AC3 * 0x00020000 = Enable DTS |- | 0x9C | 0x9F | Games Parental Control (0 = Max rating) * 0x00000000 = Rating Pending (RP) * 0x00000001 = Adults Only (AO) * 0x00000002 = Mature (M) * 0x00000003 = Teen (T) * 0x00000004 = Everyone (E) * 0x00000005 = Kids to Adults (K-A) * 0x00000006 = Early Childhood (EC) |- | 0xA0 | 0xA3 | Parental Control Passcode; 4 button sequence (each key stored in a nibble) * 0x1 = {{input-dy+}} or {{input-ly+}} * 0x2 = {{input-dy-}} or {{input-ly-}} * 0x3 = {{input-dx-}} or {{input-lx-}} * 0x4 = {{input-dx+}} or {{input-lx+}} * 0x5 = {{input-a}} * 0x6 = {{input-b}} * 0x7 = {{input-x}} * 0x8 = {{input-y}} * 0xB = {{input-lt}} * 0xC = {{input-rt}} * 0x0 = Disabled{{FIXME|reason=Is this 0x00000000 only, or are shorter codes possible? can a middle section be 0x00 or would that end the sequence?}} ''Note'': * A passcode 0x00001423 is D-pad directions up (0x1), right (0x4), down (0x2), left (0x3). * Pass code only uses the lower 16 bits; each button is stored as a nibble in the word. First button in the most significant nibble and last in the least significant nibble. |- | 0xA4 | 0xA7 | Movies Parental Control (0 = Max rating) * 0x00000001 = Adults Only (NC-17) * 0x00000002 = Restricted (R) * 0x00000004 = Parents Strongly Cautioned (PG-13) * 0x00000005 = Parental Guidance Suggested (PG) * 0x00000007 = General Audiences (G) |- | 0xA8 | 0xAB | XBOX Live IP Address.. |- | 0xAC | 0xAF | XBOX Live DNS Server.. |- | 0xB0 | 0xB3 | XBOX Live Gateway Address.. |- | 0xB4 | 0xB7 | XBOX Live Subnet Mask.. |- | 0xB8 | 0xBB | Other XBLive settings ? |- | 0xBC | 0xBF | DVD Playback Kit Zone * 0x00000000 = None * 0x00000001 = Region 1 * ... * 0x00000006 = Region 6{{FIXME|reason=We should document which regions were actually sold in stores}} |- | 0xC0 | 0xFF | Unknown Codes / History ? do not change any values in this range |- |} Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h]. ^*Configmagic-FINAL-1.6 uses the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 value computed was correct only because the extra 4 bytes not used in the CRC computation were all 0's which does not change the CRC value. However, a similiar problem with computation of Checksum3 is present. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions. == Reading/Writing the EEPROM == === Software Method === This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP. === Hardware Method === If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see [http://dangerousprototypes.com/blog/bus-pirate-manual/ here] or [https://www.totalphase.com/products/aardvark-i2cspi/ here]), build an [https://www.youtube.com/watch?v=UcK6nKyKGVQ I2C-Serial cable], or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See [https://github.com/grimdoomer/PiPROM here] for pinout information. Then use the corresponding software to read/write the EEPROM. == The HMAC SHA1 Hash == The HMAC SHA1 Hash is generated{{FIXME|reason=Stored? Derived? At factory?}} out of the first 48 bytes{{FIXME|reason=..first 48 EEPROM bytes? Encrypted / Decrypted?}}. This section has been identified clearly{{FIXME|reason=What does this mean?}}. == Checksum Algorithm == Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers: <pre> /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by * TeamAssembly under the GNU GPL. * Specifically, from XKCRC.cpp * * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org) * * Adapted for XboxDevWiki */ uint32_t EepromCRC(unsigned char *data, long dataLen) { // Initialize result to zero uint8_t crc[4] = { 0x00, 0x00, 0x00, 0x00 }; //Circle shift input data one byte right unsigned char* CRC_Data = (unsigned char *)malloc(dataLen + 4); memset(CRC_Data, 0x00, dataLen + 4); memcpy(CRC_Data + 0x01 , data, dataLen - 1); memcpy(CRC_Data, data + dataLen - 1, 0x01); // Calculate checksum for (unsigned int i = 0; i < 4; i++) { unsigned short CRCPosVal = 0xFFFF; for (unsigned long l = i; l < dataLen; l += 4) { CRCPosVal -= *(unsigned short*)(&amp;CRC_Data[l]); } CRCPosVal &= 0xFF00; crc[i] = (unsigned char) (CRCPosVal >> 8); } free(CRC_Data); return *(uint32_t*)&crc; } </pre> == Read Checksum Algorithm == When the Xbox reads from the FACTORY_SETTINGS or the USER_SETTINGS section of the EEPROM, this algorithm is ran over the entire section accessed (including the CRC checksum mentioned above) to ensure that the data is valid. If the result of the checksum algorithm does not equal 0xFFFFFFFF, STATUS_DEVICE_DATA_ERROR is returned from the Kernel. <pre>static uint32_t eeprom_section_checksum( const uint32_t* section_data, uint32_t section_data_length ) { const uint32_t bitmask = 0xFFFFFFFF; uint64_t checksum = 0; uint32_t carry_count = 0; // Process the data in 32 bit steps for(unsigned int i = 0; i < section_data_length / 4; i++) { checksum += *section_data; if(checksum > bitmask) { carry_count++; checksum &= bitmask; } section_data++; } checksum += carry_count; if(checksum > bitmask) { checksum += 1; } return (uint32_t)(checksum & bitmask); } </pre> == Further Reading == * [https://web.archive.org/web/20040604013125/http://console-dev.com:80/eeprom.htm Information about EEPROM contents] * [https://github.com/grimdoomer/PiPROM Read/Write an original Xbox EEPROM chip using a Raspberry Pi] * [https://mehmedbasic.dk/post/xbox-eeprom/ Read/Write an original Xbox EEPROM using a VGA port] * [https://www.youtube.com/watch?v=UcK6nKyKGVQ How To Make Xbox EEPROM Reader / Write (Video)] * [https://www.youtube.com/watch?v=uzrljlHDr9w How To Extract Xbox EEPROM Easy (Video)] 5cab388c81e404edbb44db44e96335c670604dc2 0 3707 6870 6821 2020-08-05T23:41:42Z Velocet 2505 Used the old Xbox Hard Drive Locking Mechanism article and cleaned everything a bit wikitext text/x-wiki The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter{{FIXME|reason=This is under control of running application / variation even in official products?}} ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | N/A | [[Config Sector|Config Area]] | 0x00000000 | 0x00080000 | Fixed Structure | N/A |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition3 |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition4 |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition5 |- | C | System | 0x8ca80000 | 0x1f400000 | FATX | \Device\Harddisk0\Partition2 |- | E | Data | 0xabe80000 | 0x131f00000 | FATX | \Device\Harddisk0\Partition1 |} ::::::::::::::::::::::''side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"'' ::::::::::::::::::::::''and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"''{{FIXME|reason=Mark as unofficial / homebrew}} :::::::::::::::::::::::::&nbsp;&nbsp;&nbsp;''added Drive "G:" <=> "\Device\Harddisk0\Partition7"''{{FIXME|reason=Mark as unofficial / homebrew}} '''Debug/Devkit HDD:''' {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] |- |} '''FIXME:''' * Add info on how extended partitions are added. == Locking Mechanism and Basics == The hard drives in the Xbox are standard IDE drives locked with a key (referred to as the HDKey). The drive is unlocked by the Kernel at boot. The XBox uses a User Password with the Maximum security mode (see below). The password is generated in two distinct phases: * Extract the HDKey from the [[EEPROM]] which is unique to each Xbox making this phase dependent only on the [[EEPROM]]. * Generate a drive specific password (keyed to the model and serial number of the drive) with the extracted HDKey from the [[EEPROM]]. The security feature of the hard drive can be enabled and disabled by sending special ATA commands to the drive. If a device is locked, it will refuse all access until it is unlocked. === Locking Mechanism === The ATA/ATAPI Command Set - 2 (ACS-2) specification <ref>[http://www.t13.org/documents/UploadedDocuments/docs2011/d2015r7-ATAATAPI_Command_Set_-_2_ACS-2.pdf Draft: ATA/ATAPI Command Set - 2 (ACS-2) - T13/2015-D - Revision 7, June 22, 2011] (t13.org); Note: T13 drafts are freely available, only the final standards are behind a paywall.</ref> defines an optional ''SECURITY'' feature subset (chapter 7.43 - 7.48) which allows to limit access to the drive's data behind a hardware implemented locking mechanism: * SECURITY DISABLE PASSWORD (Chapter 7.43) * SECURITY ERASE PREPARE (Chapter 7.44) * SECURITY ERASE UNIT (Chapter 7.45) * SECURITY FREEZE LOCK (Chapter 7.46) * SECURITY SET PASSWORD (Chapter 7.47) * SECURITY UNLOCK (Chapter 7.48) ==== The Password ==== A device can have two passwords; either or both may be set with a maximum of 32 byte each. A device can be locked in two modes: High security mode or Maximum security mode. If the User password is not available, the only remaining way to get at least the bare hardware back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. In Maximum security mode, the SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk. ===== User Password ===== If a ''User Password'' is set (SECURITY SET PASSWORD), the drive blocks the access on a reboot again so you have to re-enter the password (SECURITY UNLOCK). Setting the ''User Password'' will also set the ''Master Password Capability''. ===== Master Password ===== If the ''Master Password Capability'' is set the drive could be locked in one of two modes. Bit 8 in word 128 of the IDENTIFY response shows which mode the drive is in: * 0 = High: the ''Master Password'' could be used to unlock (SECURITY UNLOCK) just like the ''User Password'' or to deactivate the ''User Password'' (SECURITY DISABLE PASSWORD). * 1 = Maximum: the ''Master Password'' could only be used to wipe the drive (SECURITY ERASE UNIT). This makes the drive usable again but all data on it is lost. === Drive Data === During the second phase, the serial and model numbers are needed. These values are available in the response data from the DEVICE_IDENTITY ATA command. However, the data needs to be reorganized. It is read in Big Endian words, and needs to be byte swapped first to get the byte ordering correct. Then, starting from the end of the data (serial == 20 bytes, model == 40 bytes) ignore ASCII spaces (byte value of 0x20) at the end of the data. Zeros are *not* trimmed, *only* spaces. Do not be fooled into believing that this data is a string. On some drives this is the case, but on others there are non-ASCII values in the fields. === Basic Security Algorithms === There are three primary cryptography routines/functions needed when generating an XBox drive password: * SHA1: Hashing algorithm. It's primary purpose is to take an input message and create a (relatively) small signature (called a digest) which is unique to the original message. One of the goals of SHA1 is to make it difficult to alter the input message in such a way as to result in the same output digest. * RC4: Symmetric cipher. This means that the algorithm for encryption is the same as that for decryption. The purpose is to make one key work in both directions. * HMAC: Uses a hashing algorithm (in this case SHA1) to generate a cryptographically "strong" signature. ==== Password Algorithm ==== - Key data is shown entering functions from the side - Data is shown entring from above or below in order of presentation from left to right <pre> RC4_key &gt;--(second)--&gt;--, /|\ | | | .-&lt;--|__eeprom_key__|--&gt;-----------&gt; HMAC_SHA1 | | /|\ | | | | | .---&gt;-----------' | | | | | eeprom_data = |__data_hash___|__enc_conf__|__enc_data__| | | | | | | | | \|/ | | | | rc4_decrypt &lt;----|---------&lt;| | | | | | | \|/ | | | | (must be equal) | \|/ | | /|\ | rc4_decrypt &lt;---' | | | | | | \|/ \|/ | | |_confounder_|____data____| | | / / | | | / / | | | / / | | | / / | | | \|/ / \|/ `---&gt;-----------------&gt; HMAC_SHA1 / |__HDKey__|__| /|\ / | \______/ | | .-------------------------&lt;--------' | | model_number serial_number | \ / | \ / `---&gt;-----------------&gt; HMAC_SHA1 | \|/ HD_password </pre> This seems to be the easiest way to show the required calculations. Basically there are several intermediate steps. First, generate the RC4_key from the eeprom_key and the data_hash (first 20 bytes of eeprom_data). Use the RC4_key to decrypt the encrypted confounder (8 bytes 20 bytes into eeprom_data) and the encrypted data (20 bytes 28 bytes into eeprom_data). Now generate an HMAC_SHA1 hash from the eeprom_key and the decrypted confounder and data. Verify that this hash matches the data_hash stored in the eeprom. If they don't match then the eeprom data is not correct. If the hashes match then the first 16 bytes of the decrypted data field is the HDKey. Once you have the HDKey get the model and serial number from the drive. Generate an HMAC_SHA1 hash from the HDKey, model and serial numbers. The resulting 20 bytes are the HD password. The remaining 12 bytes needed for the password are zeros. == Unlocking == Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. === Unlock via Serial for Seagate drives === Look here: http://www.os2museum.com/wp/seagate-serial-talk/ === Universal Unlock Method(s) === '''TODO''' '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [https://web.archive.org/web/20150502210033/http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] * [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] eb324b4d210c930fc97e02dd6f167b897daf58d2 0 3790 6871 6211 2020-08-07T08:44:11Z Ryzee119 2519 Added offical memory unit USB descriptor wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. (It is rumored that the capacity should not exceed 4GB) However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- |BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB || |- |USB Mass Storage Device || 0x058F || 0x9381 || 64MB || Generic Mass Storage Device |} == Protocol == === USB Descriptor (Offical Memory Unit) === <pre> Bus 002 Device 003: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] d69f35a7230538cda0d0ee4996b257e95ef931c4 0 3692 6872 6700 2020-08-08T13:45:57Z KaosEngineer 2482 many misspelled words corrected and a couple of punctuation changes made wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually, an official wireless adapter was released based on a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with an Xbox setup disc (which would update the dashboard if necessary). It was also [https://web.archive.org/web/20040508051958/http://www.xbox.com/en-US/live/connect/msmn740.htm described on Micosofts website]. ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some EEPROM which hold the MAC address (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 LEDs are Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what appears to be Serial test pins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" The latest firmware is separated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" There were at least 2 firmware updates for download: * [https://web.archive.org/web/20031210155952/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_101.htm MN740 1.01] * [https://web.archive.org/web/20040602231929/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_102.htm MN740 1.02] Judging by the firmware filenames above, there should also be an MN-740 1.00 and MN740 1.03. ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or web browser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] 600be9d5f1a22c8ba9bfbcfca85043c0e4095b71 6873 6872 2020-08-08T13:49:43Z KaosEngineer 2482 /* Wireless adapter */ missed a typo Micosofts > Microsoft's wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually, an official wireless adapter was released based on a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with an Xbox setup disc (which would update the dashboard if necessary). It was also [https://web.archive.org/web/20040508051958/http://www.xbox.com/en-US/live/connect/msmn740.htm described on Microsoft's website]. ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some EEPROM which hold the MAC address (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 LEDs are Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what appears to be Serial test pins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the"ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" The latest firmware is separated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" There were at least 2 firmware updates for download: * [https://web.archive.org/web/20031210155952/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_101.htm MN740 1.01] * [https://web.archive.org/web/20040602231929/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_102.htm MN740 1.02] Judging by the firmware filenames above, there should also be an MN-740 1.00 and MN740 1.03. ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or web browser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] 8033603d04f29fc1ae80474a0310c79a5ec01073 6874 6873 2020-08-08T13:53:58Z KaosEngineer 2482 /* Firmware */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually, an official wireless adapter was released based on a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with an Xbox setup disc (which would update the dashboard if necessary). It was also [https://web.archive.org/web/20040508051958/http://www.xbox.com/en-US/live/connect/msmn740.htm described on Microsoft's website]. ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some EEPROM which hold the MAC address (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 LEDs are Power, Wireless and Xbox(called Ethernet on the PCB). The board seems to have Jtag and what appears to be Serial test pins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the "ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" The latest firmware is separated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" There were at least 2 firmware updates for download: * [https://web.archive.org/web/20031210155952/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_101.htm MN740 1.01] * [https://web.archive.org/web/20040602231929/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_102.htm MN740 1.02] Judging by the firmware filenames above, there should also be an MN-740 1.00 and MN740 1.03. ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or web browser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] d98865aef5eda12cd1c258573521e772d627655b 6875 6874 2020-08-08T13:56:00Z KaosEngineer 2482 /* Hardware */ wikitext text/x-wiki The Xbox contains an Ethernet module and one RJ45 connector. Additionally, separate modem and wireless accessories were considered when developing the console. Eventually, an official wireless adapter was released based on a "D-Link 108AG Gaming Adapter" in the end of 2003. The XDK provides a TCP/IP protocol stack complete with a DNS PPTP, DHCP clients. The IANA registered port 3074 (UDP / TCP) is reserved for Xbox communications (See [[System Link]] and [[Xbox Live]]). == Integrated network adapter == Integrated in the Nvidia Southbridge MCPX chip which is similar to the nForce chips. The Xbox MAC address is stored in the [[EEPROM]]. The network driver, including the protocol stack is contained in the XDK. The kernel only contains a small number of exports to reset and get the state of the NIC. The Xbox Linux team used the binary drivers from Nvidia{{citation needed}}{{FIXME|reason=Wasn't the open-source forcedeth driver used?}}. ==== Heartbeat ==== Ethernet II, Src: Microsof_f2:00:00 (00:50:f2:f2:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff) MS Network Load Balancing Signature: Unknown (0x584f4258) Version: 1.1 Unique Host ID: 3118682055 Cluster IP: 167.102.81.132 (167.102.81.132) Host IP: 4.89.169.109 (4.89.169.109) Signature Data - Unknown (1481589336) == Wireless adapter == based on the "D-Link 108AG Gaming Adapter", the Xbox MN-740 Wireless Bridge bundled with an Xbox setup disc (which would update the dashboard if necessary). It was also [https://web.archive.org/web/20040508051958/http://www.xbox.com/en-US/live/connect/msmn740.htm described on Microsoft's website]. ==== Hardware ==== * AR5312 CPU (MIPS 4Kc core?{{citation needed}}) * AR5212 RoC (Radio on Chip){{citation needed}} for 2.4 Ghz 802.11b/g{{citation needed}}. * KS8721B physical layer transciever * some EEPROM which hold the MAC address (based of FCC pictures and Firmware analysis){{citation needed}} * IC42S16400 8Mb ram * SST39LF0?0A (1 or 2 Mb) (the FCC picture is unclear on the size part due to writing) {{citation needed}} The onboard 3 LEDs are Power, Wireless and Xbox (called Ethernet on the PCB). The board seems to have Jtag and what appears to be Serial test pins exposed. ===== Firmware ===== This wireless bridge runs a closed source version of the "ThreadX JADE/Green Hills Version G4.0.4.0" RTOS. The firmware contains a copyright string of: "Copyright (c) Microsoft Corporation All Rights Reserved Device is Xbox Compatible" The latest firmware is separated by a boot and runtime firmware {{citation needed}} : * MN740_01.03.00.0005_BOOT.bin, "Xbox Wireless Adapter (MN-740) boot firmware" * MN740_01.00.02.0022_RUNTIME.bin, "Xbox Wireless Adapter (MN-740) runtime firmware" There were at least 2 firmware updates for download: * [https://web.archive.org/web/20031210155952/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_101.htm MN740 1.01] * [https://web.archive.org/web/20040602231929/http://www.microsoft.com/hardware/broadbandnetworking/readme/readme_mn740_102.htm MN740 1.02] Judging by the firmware filenames above, there should also be an MN-740 1.00 and MN740 1.03. ====== WPA2 support ====== The shipped firmware does not support WPA or WPA2. A "firmware" hack based on the D-Link firmware adds WPA support, rendering Dashboard support unfunctional and changing settings require connecting to the LAN port using a PC (or web browser capable application). ==== Software (Xbox setup disc) ==== The setup disc is a CD[http://redump.org/disc/53586/]. It contains an XISO filesystem that contains only a "default.xbe" which contains a dashboard updater. == References and links == * [https://xboxlivehacking.blogspot.de/ https://xboxlivehacking.blogspot.de/] * [https://www.google.com/patents/US20040009815 Patent: Managing access to content] * [https://www.google.com/patents/US20030093669 Patent: Network architecture for secure communications between two console-based gaming systems] * [https://www.google.com/patents/US20030093668 Patent: Architecture for manufacturing authenticatable gaming systems ] * [https://www.google.com/patents/US7803052 Patent: Discovery and distribution of game session information ] * [https://www.google.com/patents/US20030229779 Patent: Security gateway for online console-based gaming ] * [https://www.google.com/patents/US20030233537 Patent: Presence and notification system for maintaining and communicating information ] * [https://www.google.com/patents/US7218739 Patent: Multiple user authentication for online console-based gaming ] * [https://web.archive.org/web/20040831091347/http://www.xbox.com:80/assets/en-us/HardwareManuals/Xnewt.pdf Xbox Wireless adapter manual] * [https://www.hanselman.com/blog/FlashingTheFirmwareOfAnXboxMN740WirelessAdapterToADLink108AGToSupportWPASecurity.aspx Flashing the Firmware of an Xbox MN-740 Wireless Adapter to a D-Link 108AG to support WPA Security ] * [https://fccid.io/C3KMN740/Internal-Photos/Internal-Photos-360373.iframe FCC entry of Xbox MN-740 Wireless Adapter (with IC writing intact) ] b6b1250333344208545fcc21522aaedda8983db0 0 3703 6878 6696 2020-09-01T13:39:14Z Espes 2484 add xemu wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Yes|Maintained}} |LLE |{{Yes}} |xemu |[https://xemu.app/][https://github.com/mborgerson/xemu] |mborgerson |Windows/macOS/Linux | |xemu is a fork of XQEMU but more usable |- |{{Yes|Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{No|Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{No|Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Yes|Maintained}} |LLE/HLE Hybrid |{{No}} |StrikeBox |[https://github.com/StrikerX3/StrikeBox] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{No|Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{No|Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{No|Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{Yes|Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{No|Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{No|Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Yes|Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 676117800d4c7cdb80fadbcf37250a1085d1b2da 6879 6878 2020-09-01T13:42:08Z Espes 2484 Sort the more notable ones to the top wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Yes|Maintained}} |LLE |{{Yes}} |xemu |[https://xemu.app/][https://github.com/mborgerson/xemu] |mborgerson |Windows/macOS/Linux | |xemu is a fork of XQEMU but more usable |- |{{Yes|Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Yes|Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |Fusion[http://michaelbrundage.com/project/xbox-360-emulator/] ([[Xbox 360 Backward Compatibility]]) | |Microsoft |Xbox 360 |Proprietary | |- |{{Yes|Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |Fission[http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] ([[Xbox One Backward Compatibility]]) |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. | |- |{{No|Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{No|Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Yes|Maintained}} |LLE/HLE Hybrid |{{No}} |StrikeBox |[https://github.com/StrikerX3/StrikeBox] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{No|Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{No|Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{No|Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{No|Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{No|Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] ac324e05888248700156d0eca68d3d49ff2021e3 6880 6879 2020-09-01T13:43:52Z Espes 2484 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Yes|Maintained}} |LLE |{{Yes}} |xemu |[https://xemu.app/][https://github.com/mborgerson/xemu] |mborgerson |Windows/macOS/Linux | |xemu is a fork of XQEMU but more usable |- |{{Yes|Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Yes|Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[[Fusion]][http://michaelbrundage.com/project/xbox-360-emulator/] | |Microsoft |Xbox 360 |Proprietary | |- |{{Yes|Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |[[Fission]][http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. | |- |{{No|Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{No|Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Yes|Maintained}} |LLE/HLE Hybrid |{{No}} |StrikeBox |[https://github.com/StrikerX3/StrikeBox] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{No|Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{No|Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{No|Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{No|Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{No|Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 9b37c4d43fe014f59471f7949a23ac847f8267a0 0 3669 6881 6830 2020-09-17T05:12:16Z KaosEngineer 2482 /* PHILIPS VAD6053 */ Only 1 L in this brand name - Philips, not 2. wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6053 ==== Also named: VAD6011/21 apear to have no brand or partnumber on its large main controller,might be Cirrus Logic based on its size and use of a Philips secondary smaller mcu. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC dvdrom drive Pioneer 500M with the Philips firmware to be a Xbox dvdrom drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 4f502a6e8af6c90f0b36e3692ca68058a04e8b9f 6882 6881 2020-09-17T05:14:58Z KaosEngineer 2482 /* PHILIPS VAD6035 */ 6035 not 6053, and fixed some typos. wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6035/21 ==== Also named: VAD6011/21 appears to have no brand or part number on its large main controller, might be Cirrus Logic based on its size and use of a Philips secondary smaller MCU. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC DVD-ROM drive Pioneer 500M with the Philips firmware to be an Xbox DVD-ROM drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 8d8c79cd02a9fc029da3a05b7f62227b5eef9c4c 0 3821 6883 6734 2020-09-23T00:31:15Z GoTeamScotch 2526 Added photos of DVD emulation board and a separate photo of it next to the debugging board wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding which files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and possibly potential faults that could occur. The Hardware required for this was a Developement kit, (with the DVD emulation board) some sort of scsi cable, and an XDK-Raptor card.{{citation needed}} The complete kit, a Raptor PCI Scsi card and Hardisk was numbered: 940-75004 Rev.01 two or more versions of the PCI scsi card are known: * 700-75307 Rev.01 * 700-75307 Rev 03 [https://assemblergames.com/threads/sealed-xbox-raptor-card-for-xdk-dvd-emu.41763/ Assemblergames](posibly same as rev1?) The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. This wasn't the fastest way to get an executable to the Xbox for development, and is useless for Homebrew.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} Picture: [[File:https://i.imgur.com/VNFxuya.jpg]] Next to serial debugging board: [[File:https://i.imgur.com/OZqxKyH.jpg]] 0827bcaf9850998eb7fdad5443ad97505a1ce035 6 4000 6884 2020-09-23T00:33:19Z GoTeamScotch 2526 DVD emulation and serial debugging boards wikitext text/x-wiki DVD emulation and serial debugging boards 194f68a587b172c6abbb4f018abe8f3e03470741 0 3693 6885 6703 2020-10-24T06:30:38Z Billy549 2520 wikitext text/x-wiki Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of Kerberos-based authentication tickets, with a Secure Gateway used to then access services (such as Matchmaking, Statistics/Leaderboards, and custom game servers) === Authentication servers === Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customisations for the Xbox. The first time an Xbox connects to Xbox Live from the factory, it'll connect to MACS.XBOXLIVE.COM and use a pre-shared key based from the Online Key, HDD Key, and a unique key present in all Xbox Live binaries. The server would then return a machine account that is then used for all further authentication (for example, to authenticate for the service to create a new Xbox Live user account). {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} === Matchmaking servers === === Game servers === === XDK Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. It will return XONLINETASK_S_RUNNING while the login process has not been completed. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) |Will return XONLINE_S_LOGON_CONNECTION_ESTABLISHED when the task is successfully completed. Otherwise it will return an error code. |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |} == Discontinuation of service == The service was officially discontinued on April 15th, 2010. 12 players decided to stay in a lobby of ''Halo 2'' 24/7 to keep a server running. The final player, Apache N4SIR was streaming the entire event, as the player count of 12 twindeled down to just him. At 11:40 PM PDT, on May 11th 2010, Apache N4SIR was booted from the game[http://i.imgur.com/oQw6k5H.jpg]. 68838ad6a8282839b15b4ef8884efab241847da1 0 3781 6886 5625 2020-10-30T19:29:52Z Billy549 2520 Change URLs - remove web archive (CCC keeps their data up for old congresses) and change Google Video links to YouTube (asked in Discord) wikitext text/x-wiki {{retrieved|https://web.archive.org/web/20100617003620/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System}} by [https://web.archive.org/web/20100617003620/http://www.xbox-linux.org/wiki/User:Michael_Steil Michael Steil] {| class="wikitable" |- | This [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf paper], dated 2005-10-25, has been submitted to the [http://events.ccc.de/congress/2005/ 22nd Chaos Communication Congress] and has been on [https://events.ccc.de/congress/2005/fahrplan/events/559.en.html December 29th 2005, 18:00], at the Berliner Congress Center, Berlin, Germany. A '''recording''' of the presentation is available here: [https://www.youtube.com/watch?v=VdeciDTCCLQ YouTube: Team Xbox-Linux at 22C3]. '''Another recording''' of a slightly updated talk is available here: [https://www.youtube.com/watch?v=9NqLljaHc80 YouTube: Deconstructing The Xbox Security System] |} == Introduction == The Xbox is a gaming console, which has been introduced by Microsoft Corporation in late 2001 and competed with the Sony Playstation 2 and the Nintendo GameCube. Microsoft wanted to prevent the Xbox from being used with copied games, unofficial applications and alternative operating systems, and therefore designed and implemented a security system for this purpose. This article is about the security system of the Xbox and the mistakes Microsoft made. It will not explain basic concepts like buffer exploits, and it will not explain how to construct an effective security system, but it will explain how ''not'' to do it: This article is about how easy it is to make terrible mistakes and how easily people seem to overestimate their skills. So this article is also about how to avoid the most common mistakes. For every security concept, this article will first explain the design from Microsoft's perspective, and then describe the hackers' efforts to break the security. If the reader finds the mistakes in the design, this proves that Microsoft has weak developers. If, on the other hand, the reader doesn't find the mistakes, this proves that constructing a security system is indeed hard. === The Xbox Hardware === Because Microsoft had a very tight time frame for the development of the Xbox, they used off-the-shelf PC hardware and their Windows and DirectX technologies as the basis of the console. The Xbox consists of a Pentium III Celeron mobile 733 MHz CPU, 64 MB of RAM, a GeForce 3 MX with TV out, a 10 GB IDE hard disk, an IDE DVD drive, Fast Ethernet, as well as USB for the gamepads. It runs a simplified Windows 2000 kernel, and the games include adapted versions of Win32, libc and DirectX statically linked to them. Although this sounds a lot more like a PC than, for example, a GameCube with its PowerPC processor, custom optical drive and custom gamepad connectors, it is important to point out that, from a hardware point of view, the Xbox shares ''all'' properties of a PC: It has LPC, PCI and AGP busses, it has IDE drives, it has a Northbridge and a Southbridge, and it includes all the legacy PC features such as the "PIC" interrupt controller, the "PIT" timer and the A20 gate. nVidia sold a slightly modified Southbridge and a Northbridge with another graphics core embedded for the PC market as the "nForce" chipset between 2001 and 2002. === Motivation for the Security System === The Xbox being a PC, it should be trivial to install Linux on it in order to have a cheap and, for that time, powerful PC. Even today, a small and silent 733 MHz PC with TV connectivity for 149 USD/EUR is still attractive. But this is not the only thing Microsoft wanted to prevent. There are three uses that should not have been possible: * '''Linux''': The hardware is subsidized and money is gained with the games, therefore people should not be able to buy an Xbox without the intent to buy any games. Microsoft apparently feels that allowing the Xbox to be used as a (Linux) computer would be too expensive for them. * '''Homebrew/Unlicensed''': Microsoft wants the software monopoly on the Xbox platform. Nobody should be able to publish unlicensed software, because Microsoft wants to gain money with the games to amortize the hardware losses, and because they do not want anyone to release non-Internet Explorer browsers and non-Windows Media Player multimedia software. * '''Copies''': Obviously it is important to Microsoft that it is not possible to run copied games on the Xbox. Microsoft decided to design a single security system that was supposed to make Linux, homebrew/unlicensed software and copies impossible. The idea to accomplish this was by simply locking out all software that is either not on the intended (original) medium or not by Microsoft. On the one hand, this idea makes the security system easier and there are less possible points off attack. But on the other hand, 3 times more attackers have a single security system to hack: Although Open Source and Linux people, homebrew developers, game companies as well as crackers have little common interests, they could unite in this case and jointly hack the Xbox security system. Of the three consoles of its generation, Xbox, Playstation 2 and GameCube, the Xbox is the one whose security system has been compromised first, the one that is now easiest to modify for a hobbyist, the one with the most security system workarounds, and the one with the most powerful hacks. This may be, because the Xbox security is the weakest one of the three, but also because Open Source people, homebrew people and crackers attacked the Xbox, while the Open Source people did not attack the Playstation 2, as Linux had been officially supported by Sony, so the total number of hackers was lower, buying them time. === Idea of the Security System === In order to allow only licensed and authentic code to run, it is necessary to build a TCPA/Palladium-like chain of trust, which reaches from system boot to the actual execution of the game. The first link is from the CPU to the code in ROM, which includes the Windows kernel, and the second link is from the kernel to the game. There are several reasons that the operating system is contained in ROM (256 KB) instead of being stored on hard disk, like on a PC. First, it allows a faster startup, as the kernel can initialize while the hard disk is spinning up, furthermore, there is one link less in the chain of trust, and in case verification of the kernel gets compromised, it is harder to overwrite a ROM chip than modify data on a hard disk. == Startup Security == When turned on, x86-compatible CPUs start at the address 0xFFFFFFF0 in the address space, which is usually flash memory. For the Xbox, this is obviously no good idea, as flash memory can be * replaced, by removing the chip, fitting a socket and inserting a replacement chip. * overridden, by adding another flash memory chip to the LPC bus. This override functionality is necessary, because during manufacturing, an empty flash memory chip gets soldered onto the board, an override LPC ROM chip gets connected to the board and the system boots from the external ROM, which then programs the internal flash memory. This procedure is significantly cheaper than preprogramming the flash memory chips. * reprogrammed, because flash memory can be written to many times. It would be possible to use ROM instead of flash memory, but ROM is more expensive than flash memory. Thus, the machine must not start from flash memory. === Microsoft's Perspective === It would be possible to make two of the attacks impossible, by using ROM chips instead of flash. There would be no way to reprogram them, and it would be possible to disable the LPC override functionality in the chipset, because it is not needed for the manufacturing process any more. ==== The Hidden ROM ==== There is a solution between flash memory and ROM that combines advantages of both these approaches. This trick is rather old and had already been used in previous gaming consoles like the Nintendo 64: Use a tiny non-replaceable startup ROM, and put the bulk of the firmware data (i.e. the Windows kernel) into flash memory. The "internal" ROM checks whether the contents of the flash memory are authentic, and if yes, it passes execution to it. This way, there will be another link in the chain of trust, but the ROM code can be trusted (if it is non-replaceable), and if, in addition, it is non-accessible, an attacker may not even have a clue how verification works. ==== Location of the ROM ==== But where can this ROM be put? It cannot be a separate chip, as it would be replaceable. It would have to be included into another chip. The CPU would be ideal, as the ROM contents would not travel over any visible bus, but then it would be impossible to use cheap off-the-shelf Celerons. Including it in any other chip would make it non-replaceable, but data would travel over a bus. It seems to be a good compromise to store the ROM data in the Southbridge ("MCPX"), as it is connected via the ''very'' fast HyperTransport bus, so it is very hard to sniff. A former Microsoft employee confirmed that the developers tought that nobody was able to sniff HyperTransport. ==== Verification Algorithm ==== This secret ROM stored in the Southbridge must verify the Windows kernel in the external flash memory before executing it. One idea would be to checksum (hash) the flash contents using an algorithm like MD5 or SHA-1, but this would mean that the hash of the kernel has to be stored in the secret ROM as well, which would make it imposible to ship updated versions of the kernel in future Xboxes without also updating the ROM contents - which would be very expensive. A digital signature algorithm like RSA would be better: It would be possible to update the kernel without changing the ROM, but an RSA implementation takes up a lot of space, and embedded ROM in the Southbridge is expensive. It would be ideal if the algorithm fit in only 512 bytes, which is impossible for RSA. ==== Second Bootloader ("2bl") ==== A solution for this problem is again to introduce another link in the chain of trust: The ROM only hashes a small loader ("2bl", "second bootloader") in flash memory, which can never be changed. It is then the job of this loader to verify the rest of flash, and as the second loader can be any size, there are no restrictions. So the final chain of trust looks like this: The CPU boots from the secret ROM embedded into the Southbridge, which cannot be changed. The secret ROM verifies the second bootloader in flash memory using a hash algorithm, and if it is authentic, runs it. The second bootloader checks the kernel, and if authentic, runs it. Now the second bootloader and the Windows kernel would be stored in flash memory in plain text, which is a bad idea: An attacker can immediately see how the second bootloader verifies the integrity of the kernel, and even analyze the complex kernel for possible exploits. Encrypting all the flash contents will not solve possible vulnerability problems, but it will buy us time until the decryption of the flash contents is understood by hackers. The decryption key would have to be stored in the secret ROM, and the 2bl verification code would also have to decrypt the flash contents into RAM while reading it. ==== RAM Initialization ==== Decrypting flash memory contents into RAM is a challenge if we are living inside the first few hundred bytes of code after the machine has started up: At this point, RAM might not be stable yet. The reason for this is that Microsoft bought cheap RAM chips; they just took everything Samsung could give them to lower the price, even faulty ones, i.e. chips that will be unstable when clocked at the highest frequencies specified. The Xbox is supposed to find out the highest clock speed the RAM chips can go and run them at this frequency - this is the reason why some games don't run as smoothly on some Xboxes as on others. So the startup code in the secret ROM has to do a memory test, and if it fails, clock down the RAM, do another memory test, and if it fails again, clock down again, and so on, until the test succeeds or the RAM cannot be clocked down any further. The problem now is that it is impossible to do complex RAM initialization, data decryption and hashing in 512 bytes. This code would need at least 2 KB, which would be significantly more expensive, if embedded into the Southbridge. We could put the RAM initialization code, which is the biggest part of what the startup code needs to do, into flash memory, and call it from the secret ROM, but this would kill security, as an attacker could easily see the unencrypted code in flash, modify it and have the control of the machine right at the startup. The developers at Microsoft had a brilliant idea how to solve this problem: They designed an interpreter for a virtual machine that can read and write memory, access the PCI config space, do "AND" and "OR" calculations, jump conditionally etc. The instruction code has one byte instructions and two 32 bit operands, it can use immediate values as well as an accumulator. The interpreter for the virtual machine is stored in the secret ROM, and its code ("xcodes") is stored in flash memory. This code does the memory initialization (plus extra hardware initialization, which would not be necessary). This program cannot be encrypted, as there is again no space for it in the secret ROM, but as the virtual machine is unknown to the hacker, encryption should not be that important. It also cannot be hashed, as this would make it impossible to change the xcodes for later revisions of the Xbox hardware. Therefore we have to make sure that, if the hacker knows how the virtual machine works, it is impossible to do anything malicious with the xcodes. ==== The Virtual Machine ==== There are several ways an attacker could exploit the xcodes, which are by definition untrusted, because they reside in "external" flash memory. Microsoft included some code to make sure there were no possible exploits. ===== Read the Secret ROM ===== The xcodes can read memory and access I/O ports. This way an attacker could place xcodes into flash memory that dump the secret ROM, which must be mapped into the address space somewhere, to a slow bus, like the LPC or the I2C bus, or write it into CMOS or the EEPROM, so that we can read it later. The xcode interpreter has to make sure that the xcodes cannot read the secret ROM, which is located at the upper 512 bytes of the address space. The simplest way to accomplish this is to mask the address when reading from memory: <pre> and ebx, 0FFFFFFFh &nbsp;; clear upper 4 bits mov edi, [ebx] &nbsp;; read from memory location op1 into di jmp next_instruction </pre> This way, the xcodes can only ready from the lower 256 MB, which is no problem, as there are only 64 MB of RAM, and memory mapped I/O can be mapped into this region using PCI config cycles. ===== Turn off the Secret ROM ===== The xcodes may also not turn off the secret ROM, or else the CPU, while executing the xcode interpreter, would "fall down" from the secret ROM into the underlying flash ROM, which is also mapped to the top end of the address space. The turn off functionality is important: As soon as the second bootloader takes over, the secret ROM has to be turned off, or else an attack against a game, which makes it possible to run arbitrary code, could dump the secret ROM, making additional attacks against it possible. The secret ROM can be turned off by writing a value with bit #1 set to the PCI config space of device 0:1:0, register 0x80. So the xcode interpreter always clears this bit in case there is a write to this PCI config space register: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> ==== Encryption and Hashing ==== For the decryption of the second bootloader, Microsoft chose the RC4 algorithm, which is pretty small, as it fits into 150 bytes. It uses a 16 bytes key, which is also stored in the secret ROM. Microsoft's engineers also chose to use RC4 as a hash, so that no additional algorithm had to be implemented for this. Differential decryption algorithms feed the decrypted data into the generator of the decryption key stream, so if the encrypted code is changed at one byte, all the following bytes will decrypted incorrectly, up to the last bytes. This way, it is possible to only test the last few bytes. If they have been decrypted correctly, then the encrypted code has been authentic. (If you are getting suspicious now - read on!) In practice, the secret ROM in the Xbox compares the last decrypted 32 bit value with the constant of 0x7854794A. If it is incorrect, the Xbox has to panic. ==== Panic Code ==== So far, the code in the secret ROM does this: * Enter protected mode, and set up segment descriptors, so that we have access to the complete flat 32 bit address space. * Interpret the xcodes. * Decrypt and hash the second bootloader, store it in RAM * If the hash is correct, jump to the decrypted second bootloader in RAM, else panic. There is another possible attack here: A hacker could deliberately make the hash fail. If the Xbox then halts and flashes its lights to indicate an error, the attacker can attach a device to dump the secret ROM after the CPU has shut down and the bus is idle. Although HyperTransport is fast, it would be a lot easier to attach a device that actively requests the data from the Southbridge than sniffing it when the CPU requests it. One solution would be not to halt but to shut down the Xbox in case of a problem. The support chips have this functionality. But incorrect flash memory does not necessarily mean that there has been an attack, it could also be a malfunction, and the machine should use the LED to blink an error code. So we should leave the Xbox running, but just turn off the secret ROM, so that it cannot be read any more. But there is a problem: We have to do this inside the secret ROM. So if we disable the ROM, we cannot have the "hlt" instruction after that, because the CPU will "fall down" into flash memory - where an attacker could put code. On the other hand, if we halt the CPU, we cannot turn off the secret ROM afterwards. We cannot put the disable and halt code into RAM and jump there, because RAM might not be stable, and might even have been tampered with by an attacker (e.g. by turning off the memory controller using the xcodes) so that the secret ROM does not get turned off. We cannot put the disable and halt code into flash either, as again, an attacker could simply put arbitrary code to circumvent the complete system there. The Microsoft engineers used yet another brilliant trick: They jump to the very end of the address space (which is covered by the secret ROM) and turn off the secret ROM in the very last instruction inside the address space. This is a simplified version of the idea: <pre>FFFFFFF1 mov eax, 80000880h FFFFFFF6 mov dx, 0CF8h FFFFFFF9 out dx, eax FFFFFFFB add dl, 4 FFFFFFFC mov al, 2 FFFFFFFE out dx, al </pre> After the last instruction, the program counter (EIP) will overflow to 00000000, which, according to the CPU documentation, causes an exception, and as there is no exception handler set up, it causes a double fault, which will effectively halt the machine. === The Hacker Perspective === So much for the theory. The design looked pretty good, although the trade off between cost and security as it has been decided, might give some people headaches. Let us now have a look at the Xbox from the hackers' point of view. It has been well known that the Xbox chipset is a modified version of nVidia's nForce chipset, so we knew that it was standard IDE, USB, there was an internal PCI bus and so on. Two hackers from Great Britain, Luke and Andy, checked the hard disk and found out that it uses a custom partitioning scheme, a FAT-like filesystem, that there is no kernel on the hard disk, but there is the Xbox Dashboard on the fourth partition, the main program that gets executed if there is no game in the DVD drive, which allows changing settings, playing audio CDs and managing savegames. ==== Extracting the Secret ROM ==== Andrew "bunnie" Huang, then a PhD student at the MIT, disassembled his Xbox, saw the flash memory, de-soldered it, extracted the contents, put it on his website and got a phone call from one of Microsoft's lawyers. The flash memory image was obviously encrypted, but there was x86 binary code in the upper 512 bytes! Obviously, there should be no code in the upper 512 bytes, as this gets overridden by the secret ROM, which contains the actual machine setup and flash decryption code. Bunnie found out that this code was an interpreter for tables in flash memory, plus a decryption function that looked like RC4. He rewrote the crypto code in C and tried it on the data - but the resulting data was random, obviously something was wrong. The interpreter didn't make much sense either. The code used opcodes that were unknown to the interpreter. In order to find out what was wrong, bunnie rewrote the top of flash with his own code, and later even completely erased the upper 512 bytes, but the Xbox still booted! So it was obvious to him that this region gets overridden by some internal code. As it turned out later, the code in the upper 512 bytes of the flash image was a very old version of the secret ROM code, which had been unintentionally linked to the image by the build tools. It seems like nobody had looked at the resulting image at the end, before they shipped the consoles. This mistake was very close to a fatal one, and Microsoft was lucky that they didn't link the actual version of the secret ROM. But it didn't make that much of a difference, as bunnie sniffed the busses, and eventually dumped the complete secret ROM, including the RC4 key from HyperTransport, using a custom built sniffer - after all, he was working on his PhD degree about high performance computing, and he could use the excellent resources of the MIT hardware lab. When he published his findings, other people found out quite quickly that the validity check did nothing at all: The combination of decryption and hash with a cypher that feeds back the decrypted data into the key stream is a good idea, but unfortunately, RC4 is no such cypher. It decrypts bytes independently, so if one byte is wrong, all the following bytes will still be decrypted correctly. So checking the last four bytes has no effect: There is no hash. It turned out that the cypher used in the old version of the secret ROM as found in flash memory used the RC5 cypher. In contrast to RC4, RC5 does feed the decrypted stream back into the key stream. So they seem to have replaced RC5 with RC4 without understanding that RC4 cannot be used as a hash. Bunnie's theory why they abandoned RC5 is that RC5 was still a work in progress, and that Microsoft wasn't supposed to have it, so they went for the closest relative - RC4. ==== Modchips ==== Now that the encryption key was known and there was effectively no hash over the second bootloader, it was possible to patch this code: People added code to the second bootloader to patch the kernel after decryption (and decompression) to accept executables even if on the wrong media (DVD-R instead of original) or if the RSA signature of the executables was broken (i.e. unsigned homebrew software). Modchips appeared: Some of them had a complete replacement flash memory chip on them, others only patches a few bytes and passed most reads down to the original flash chip. All these modchips had to be soldered in parallel to the original flash chip, using 31 wires. Now other people found out that, if the flash chip is completely missing, the Xbox wants to read from a (non-existant) ROM chip connected to the (serial) LPC bus. This is of course because of the manufacturing process: As it has been explained before, the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip. Modchip makers soon developed chips that only needed 9 wires and connected to the LPC bus. It was enough to ground the data line D0 to make the Xbox think that flash memory is empty. Lots of these "cheapermods" appeared, as they only consisted of a single serial flash memory chip. They could be installed within minutes, especially after some companies started shipping chips that used pogo pins, so that no soldering was required. Some groups wrote applications like boot menus that made it possible to copy games to hard disk and run them from there. Patched Xbox kernels appeared that supported bigger hard disks. Making the Xbox run copies from DVD-R or hard disk as well as homebrew applications written with the official Xbox SDK was now easy. ==== Backdoors ==== The Xbox Linux Project was working on two ways to start Linux: Either run the Linux kernel from a CD/DVD as if it was a game, or run it directly from flash memory, or from HD/DVD using a Linux bootloader in flash memory, so that the Xbox behaved like a PC. For the latter, Xbox Linux was working on a replacement firmware. It would have been no problem to write a replacement firmware that took over execution instead of the second bootloader, as it was possible to completely replace this second bootloader, as well as encrypt it, using the well-known key from the secret ROM. But the firmware developers felt very uncomfortable with the idea of using this secret key in their GPL code. Other hackers felt the same, and thus were looking for bugs and backdoors in the secret ROM code, in order to find a way to be able to implement a replacement firmware without having to deal with encryption. ===== The Visor Backdoor ===== A hacker named visor, who never revealed his real name, wondered whether the rollover to 00000000 in case of an incorrect 2bl "hash" really caused a double fault and halted the CPU. He used the xcodes to write the assembly instruction for "jmp 0xFFFF0000" to the memory location 00000000 in RAM and changed the last four bytes in 2bl, in order to make the secret ROM run the panic code. The Xbox happily continued executing code at 00000000 and took the jump into flash. When appending these instructions to the existing xcodes, he could make sure that RAM had been properly initialized and was thus stable. So there was no need to encrypt the Xbox Linux bootloader firmware with the secret key any more. It was enough to add the memory write instruction to the end of the xcodes and make sure that 2bl decryption fails - which will automatically happen, if the firmware replacement does not contain the 2bl code. Now why is there no double fault? Hackers from the Xbox Linux team checked with AMD employees and they explained that AMD CPUs ''do'' throw an exception in case of EIP overflows, but Intel CPUs don't. The reason that Intel CPUs don't is because of... 1970s stuff. Execution on x86 CPUs starts at the top of the address space (minus 16 bytes), but some computer makers wanted to have their ROM at the bottom of the address space, i.e. at 0, so Intel implemented the instruction with the encoding 0xFFFF, which is what you get when reading from addresses not connected to any chip, as a No-Operation ("nop") and made the CPU throw no exception in case of the address space wraparound. This way, the CPU would "nop" its way up to the top, and finally execute the code at 0. AMD did not implement this behavior, as it had not been necessary any more by the time AMD entered the x86 market with it own designs, and because they felt that this behavior was a security risk and fixing it would not mean a significant incompatibility. But why did Microsoft do it wrong? This can be explained with the history of the Xbox: AMD offered to design and manufacture both the CPU and the motherboard (including the chipset), and nVidia was contracted to contribute the graphics hardware. The first developer systems, even outside of Microsoft, were Athlon-based, but then Intel came in and offered their chips for less money, as well as the complementary redesign of the existing AMD chipset to work with their CPU. Consequently, nVidia licensed the AMD chipset so that the AMD name vanished. This also means, that nVidia nForce chipset is essentially AMD technology, closely related to the AMD-760 chipset. So when Microsoft switched from AMD to Intel, they apparently forgot to test their security code again with the new hardware, or to read the Intel datasheets. ===== The MIST Hack ===== Soon after the visor hack, another vulnerability was found in the secret ROM code, attacking the code that checks whether an xcode wants to disable the secret ROM. Let us look at this code again: <pre> cmp ebx, 80000880h &nbsp;; ISA Bridge, MCPX disable? jnz short not_mcpx_disable&nbsp;; no and ecx, not 2 &nbsp;; clear bit 1 not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax &nbsp;; PCI configuration address add dl, 4 mov eax, ecx out dx, eax &nbsp;; PCI configuration data jmp short next_instruction </pre> The PCI config address is stored in the EBX register in the beginning. This address has to be sent to I/O port 0x0CF8, and the 32 bit data has to be sent to I/O port 0x0CFC. The address is encoded like this: <pre>0-7 reg 8-10 func 11-15 device 16-23 bus 24-30 reserved 31 always 1 </pre> The attack is pretty obvoius: there are seven reserved bits in the address, and the code tests for a single exact value. What happens if we write to an alias of the same address, by using an address with only some of the bits 24 to 30 changed? While the instruction <pre>POKEPCI(80000880h, 2) </pre> will be caught, the instruction <pre>POKEPCI(C0000880h, 2) </pre> will not be caught - and works just as well, because the PCI bus controller just ignores the unused bits. This instruction disables the secret ROM, that is, the interpreter disables itself when sending the value to port 0x0CFC, and the CPU falls down to flash memory. We can put a "landing zone" into flash, by filling all of the top 512 bytes with "nop" instructions, and putting a jump to the beginning of flash into the last instruction, so that we do not have to care where exactly the CPU lands after falling down, and we are independent of possibly hard to reproduce caching effects. It is hard to find a good reason for this bug other than carelessness. It might be attributed to not reading the documentation closely enough, as well as not looking at it from the perspective of a hacker well enough. After all, this code had been written with a specific attack in mind - but the code made hacking easier, by giving hackers a hint how to attack. ===== Another PCI Config Space Attack ===== There is a second sequence of xcode instructions that can disable the secret ROM just as well, which are not caught by the interpreter: The interpreter supports writing bytes to I/O ports, so it is possible to put together the code to disable the secret ROM using 8 bit I/O writes: <pre>OUTB(0xcf8), 0x80 OUTB(0xcf9), 0x08 OUTB(0xcfa), 0x00 OUTB(0xcfb), 0x80 OUTB(0xcfc), 0x02 </pre> This hack has been unreleased until now. It has been found not long after the MIST hack, but kept secret, in case Microsoft fixed the MIST bug. In the meantime, they have implemented a fix that makes all hacks impossible that are based on turning off the secret ROM. This will be described in detail later. ===== More Ideas ===== There have been more ideas, but few of them have been pursued, as long as other existing backdoor existed. One possible idea is to base a hack on caching... == Startup Security, Take Two == When bunnie hacked the secret ROM, Microsoft reacted by updating the ROM. Thousands of already manufactured Southbridges were trashed, new ones made. The hacker community called these Xboxes "version 1.1" machines. === Microsoft's Perspective === Microsoft had now understood that RC4 cannot be used as a hash, so they implemented an additional hash algorithm, which was to be executed after decryption. As there were only few bytes left, the hash algorithm had to be tiny - so the "Tiny Encryption Algorithm" ("TEA") was used. Every encryption algorithm can be changed to be used as a hash, and TEA seemed to be a good choice, as it is really small. While they were at it, they also changed the RC4 key in the secret ROM, so that hackers would not be able to decrypt 2bl and the kernel without dumping the new secret ROM. === The Hacker Perspective === The extraction of the secret ROM was done by members of the Xbox Linux Project this time, only days after they got their hands on the new 1.1 boxes, and only two weeks after they first appeared. ==== The A20 Hack ==== To date, Microsoft does not know how the Xbox Linux Project did it. But since there will most probably be no future revisions of the Xbox, as the Xbox 360 has already taken over, we can release this now. Let us start with some PC history. The 8086/8088, the first CPU in the x86 line, was supposed to be as closely compatible to the 8080, which was very successful on the CP/M market. The memory model therefore was similar to the 8080, which could access only 64 KB, by dividing memory into 64 KB blocks. Intel decided that the 8086/8088 could have a maximum of 1 MB of RAM, which would have meant 16 "segments" of 64 KB each. But instead of doing it this way, they decided to let the 64 KB segments overlap, and have 65536 of these segments, starting every 16 bytes. An address was therefore specified by a segment and an offset. The segment would be multiplied by 16, and the offset would be added, to result in the effective address. As an example, 0x0040:0x006C would be 0x40*0x10+0x6C=0x46C. An interesting side effect of this method is that it is possible to have addresses above 1 MB: The segment 0xFFFF starts at the effective address 0xFFFF0, so it should only contain 16 bytes instead of 64 KB. So the address 0xFFFF:0x0010 would be at 1 MB, and 0xFFFF:0xFFFF would be at 1 MB plus roughly 64 KB. The 8086/8088 could not address more than 1 MB, because it only had 20 address lines, so addresses above 0xFFFF:0x000F were wrapped around to the lower 64 KB. But this behavior was different on the 286, which had 24 address lines: It was actually possible to access roughly 64 KB more using this trick, which was later abused by MS-DOS as "high memory". Unfortunately there were some 8086/8088 application that broke, because they required the wraparound for some reason. It wasn't Intel who found that out, but IBM, when they designed the IBM AT, and it was too late to modify the behavior of the 286, so they fixed it themselves, by introducing the A20 Gate ("A20#"). An unused I/O pin in the keyboard controller was attached to the 20th address line, so that software could pull down address line 20 to 0, thus emulating the 8086/8088 behaviour. This feature was later moved into the CPUs, and all Pentiums and Athlons have it - and so does the Xbox. If A20# is triggered, bit 20 of all addresses will be 0. So, for example, an address of 1 MB will be 0 MB, and if the CPU wants to access the top of RAM, it will actually access memory that is 1 MB lower than the top. Keeping this in mind, the attack on the Xbox is pretty straightforward: If we connect the CPU's A20# pin to GND, the Xbox will not start from FFFFFFF0, but from FFEFFFF0 - this is not covered by the secret ROM, but is ordinary flash memory, because flash is mirrored over the upper 16 MB. So by only connecting a single pin, the secret ROM is completely bypassed. What is cool about this, is that the secret ROM is still turned on. So we could easily dump the secret ROM trough one of the low speed busses (we used the I2C bus), by placing a small dump application into flash memory. ==== The TEA Hash ==== After reading Bruce Schneier's book on crypto, we learned that TEA was a really bad choice as a hash. The book says that TEA must never be used as a hash, because it is insecure if used this way. If you flip both bit 16 and 31 of a 32 bit word, the hash will be the same. We could easily patch a jump in the second bootloader so that it would not be recognized. This modified jump lead us directly into flash memory. But why did they make this mistake? Obviously the designers knew nothing about crypto - again! - and just added code without understanding it and without even reading the most basic books on the topic. A possible explanation why they chose TEA would be that they might have searched the internet for a "tiny" encryption algorithm - and got TEA. ==== Visor Backdoor and MIST Hack ==== The Visor Backdoor was still present, so again, for the replacement Linux firmware, the Xbox Linux developers did not have to exploit the crypto code, but could simply use this backdoor. Microsoft obviously released the updated secret ROM much too quickly, just after bunnie dumped it and people saw that RC4 was no hash, but before the visor backdoor had been discovered. The MIST hack had been discovered after the visor bug - but it no longer worked on the Xbox 1.1. Not because they fixed the comparison - they didn't -, but because they changed the address logic: If you accessed the upper 512 bytes of the address space, and the secret ROM was turned off, the Xbox would just crash, thus making all "fall down" hacks impossible. This way they closed both possible attacks, writing to an alias, and using 5 OUTB instructions. Microsoft obviously discovered the turnoff vulnerability themselves, closing at least one backdoor, but keeping another one open, and not really closing a second one. It was too expensive to trash the 1.1 Southbridge chips again for yet another update, so Microsoft still uses these chips in today's Xboxes. === Today === In later revisions of the Xbox, Microsoft removed some pins of the LPC bus, making modchip design harder, but they could not remove the LPC bus altogether, because they needed it during the manufacturing process. In the latest revision of the Xbox hardware (v1.6), they finally switched from flash memory to real ROM - and even integrated the ROM with the video encoder. The LPC bus is not needed for manufacturing any more, as the ROM chips are already preprogrammed. So now it is impossible to replace or to overwrite the kernel image, and because of the missing LPC bus, it also seems impossible to attach a ROM override. But modchips are still possible. The obvious LPC pins are gone now, but the bus is still there. If you find the LPC pins on the board, you can attach a ROM override just as before, the modchips are only a bit harder to install. This is because the Southbridge still has the LPC override functionality, since they did not make a new revision of it - as so often, obviously for monetary reasons. == Xbox Kernel Security == Let us have a look at the chain of trust again: * The CPU starts execution of code stored in the secret ROM. * The secret ROM decrypts and verifies the second bootloader. * The second bootloader decrypts and verifies the Windows kernel. * The Windows kernel checks the allowed media bits and the RSA signature of the game. This last link is a complete software thing, so all the attacks have been pretty much standard. Some people tried to brute force the RSA key used for the game signature - no joke! But what is more likely, successfully brute forcing RSA 2048, or finding a bug in Microsoft's security code? After the experience with the first links of the chain of trust, the Xbox Linux Project focused on finding bugs in the software. We found no bug in the RSA implementation. It is taken straight out of Windows 2000 and looks pretty good. But there are always implicit additional links in the chain of trust: All code reads data, and data can cause security risks if handled incorrectly. === Game Exploits === What data do games load? Graphics data, audio data, video data... - but we cannot alter them, because it is not easily possible to create authentic Xbox DVDs, and the Xbox won't boot originals from DVD-R etc. But most games can load savegames, and these can easily be changed: The Xbox memory units are more or less standard USB storage devices ("USB sticks"), so it is possible to use most USB sticks with the Xbox, and just store hacked savegames on them. Plenty of Xbox games had buffer vulnerabilities in their savegame handlers. It was often as easy as extending the length of strings like the name of the player, and the game would overwrite its stack with our data and eventually jump to the code we embedded in the savegame. The procedure for the user was then to simply copy a hacked savegame from a USB stick onto the Xbox hard disk, run the game and load the savegame. But after a buffer exploit, we would normally only be in user mode - not on the Xbox, as all Xbox games run in kernel mode. The reason for this is probably a slight speed advantage, or, less likely, a simpler environment for the game, but Microsoft tried to make the environment as similar to the Windows/DirectX environment as possible, so user mode would have actually made the environment "simpler" for many Windows/DirectX developers. Now that we have full control of the machine, we can overwrite the flash memory chip. It is write protected by default, but disabling the write protection is as easy as soldering a single bridge on the motherboard. After all, this bridge has to be closed temporarily during manufacturing when programming flash memory for the first time. Using this hack, it is possible, only with a USB stick, one of several games (007 Agent Under Fire, MechAssault, Splinter Cell, ...) and a soldering iron, to permanently modify the Xbox, just as if a modchip was installed. Because early Xboxes had a 1 MB flash chip, although only 256 KB had been used, it was even possible to install several ROM images in flash and attach a switch. But the Xbox Linux Project did not blindly release this hack. The first savegame proof of concept exploit had been finished in January 2003. After that, a lot of energy was invested in finding out a way to free the Xbox for homebrew development and Linux, but not allowing game copies. Microsoft was contacted, but without any success. They just ignored the problem. Finally in July, the hack was released, with heavy obfuscation, and lockout code for non-Linux use. It was obvious that this would only slow down the "hacking of the hack", so eventually, people would be able to use this vulnerability for copied games, but since Microsoft showed no interest in finding a solution, there was no other option than full disclosure. The suggestion of the Xbox Linux Project would have been to work together with Microsoft to silently close the security holes and, in return, work on a method to let homebrew and Linux run on the Xbox. === Dashboard Exploits === The problem with the savegame hack was that, if you didn't want to overwrite the flash memory chip, you had to insert the game and load the savegame every time you wanted to run unsigned code. But having full control of the machine using the savegame exploit also meant we could access the hard disk without opening the Xbox. This way, it became interesting to closely examine the hard disk contents for vulnerabilities. The Dashboard is the main program on hard disk, executed every time the Xbox is started without a game in the DVD drive. The dashboard may even be the very reason the Xbox ships with a hard disk: While the settings menu and savegame management on the Nintendo GameCube fit well into 2 MB of ROM, the Xbox Dashboard, which is roughly comparable in its functionality, occupies more than 100 MB. So the original idea why to include a hard disk might have been initiated by the inability to compress the Dashboard into typical ROM sizes - and they might have decided to make the best out of it, and find additional uses for the hard disk. The dashboard loads its data files, like audio and graphics, from hard disk. With the savegame exploit, we can now alter the hard disk contents, even without opening the Xbox. Of course the dashboard executable is signed and can therefore not be altered, and all data files are hashed, with the hashes stored inside the dashboard executable. Well, all files, except for two: the font files. Consequently, there was an integer vulnerability in the font handling routines, so that we could run our own code by replacing the font files. Combined with the savegame exploit, it was as easy as transferring the savegame and loading it, which would run a script that modifies the fonts. Now every time the Xbox is turned on, the Dashboard crashes because of the faulty fonts and runs our code embedded in these files. Our code reloads the Dashboard with the original fonts, hacks it, and runs it. Hacking the Dashboard meant two things: Modifying one menu entry to read "XBOX LINUX" instead of "XBOX LIVE" and running the Linux bootloader instead of the Xbox Live setup executable, and modifying the kernel to accept both applications signed with Microsoft's RSA key as well as those signed with our RSA key, from hard disk and from CD/DVD. We called this "MechInstaller", as it was based on the "MechAssault" savegame exploit. Only accepting code either signed by the original key or by our key, keeping our key secret, and using heavy obfuscation again, meant that nobody could easily abuse this solution for copied games. This hack shows several things: Hackers have phantasy, the combination of flaws can lead to fully compromising the security system, powerful privileged code should be bug-free and security code should really catch ''all'' cases. Oh, and there is another vulnerability, an integer vulnerability in the audio player code. The attack was developed independently of the font attack, but was inferior because it would have required the user to enter the audio player every time to run Linux. ==== Microsoft's Fixes ==== The history of Microsoft's reactions to the font vulnerability is the perfect lesson of how to do it wrong. # After MechInstaller had been released, Microsoft fixed the buffer vulnerability in the Dashboard and distributed this new version over the Xbox Live network and shipped it with new Xboxes. # For the hackers, this was no major problem: It was possible to downgrade the Dashboard of a new Xbox to the vulnerable version. Just run Linux using a savegame exploit, and "dd" the old image. Some people felt downgrading on new Xboxes was not piracy, because after all, Microsoft upgraded Xbox Live users' hard disks to the new version without asking. # As the next step, Microsoft blacklisted the old Dashboard in the new kernel. It was impossible to just "dd" an old Dashboard image onto newer Xboxes. # Still no major problem for hackers: The second executable on the hard disk, "xonlinedash", which is used for Xbox Live configuration, had the same bug, so it was possible to copy the old "xonlinedash" and to rename it to "xboxdash" to make it crash because of the faulty fonts. # Microsoft consequently blacklisted the vulnerable version of "xonlinedash". # Again, no major problem for hackers: All Xbox Live games come with the "dashupdate" application, which adds Xbox Live functionality to the Dashboard for the first Xboxes which came without it. This update application has the same font bug, and it can be run from hard disk. So it is possible to copy the file from any Xbox Live game DVD, rename it to "xboxdash" and let it crash. # Microsoft could not blacklist this one. Xbox Live enabled games run the update application every time they start, making sure the Xbox has the Xbox Live functionality. Blacklisting "dashupdate" would break these games. We won. == The Mistakes that Have Been Made == Microsoft obviously made a lot of mistakes. But it would be too easy to just attribute all these to stupid engineers. There have been good (and different) reasons for most of these mistakes, and one can learn a lot from them. There are 17 kinds of mistakes they made, several of which have been made more than once. I will group the 17 mistake types into three categories: Design mistakes, implementation mistakes and bad policy decisions. === Design === ==== #1: Security vs. Money ==== Be very careful with tradeoffs between security and money. There are rarely sensible compromises. Keep in mind that the very reason for the security system is to make more money, or to prevent money losses. Security systems cannot be "a little better" or "a little worse". Either they are effective - or they are not. By saving money on the security system, you may easily make it not effective at all, not only wasting the money spent on the security system, but also making losses because it is not effective. Microsoft made many compromises. * In-system programming of flash memory is cheaper than preprogramming, but an attacker can also override the firmware with an LPC ROM. * Buying all of Samsung's RAM chips is cheaper than only buying those within the specs, but it made RAM initialization more complex, using up space that could otherwise be used for better security code. * They chose to put the secret ROM into the Southbridge instead of the CPU, because the Southbridge was a custom component anyway and having a custom CPU would have been a lot more expensive, but keys travel over a visible bus if the secret ROM is outside the CPU. * They saved money choosing not to update the Southbridge a second time, which would have fixed the TEA hash and removed the visor backdoor. This would have made modchips virtually impossible. ==== #2: Security vs. Speed ==== Don't trade security for speed. Although it may be true that the product in question must be as fast as possible in order to be able to compete with similar products on the market, remember that in IT, computers aren't slower or faster by some percentage - but by factors! Besides, you might lose more money because of a security system that does not work than because of a product that is 10 percent slower than it could be. Most probably for added speed (one address space, no TLB misses), Microsoft chose to run all code in kernel mode, even games that interacted with untrusted data that came from the outside. This made it possible to have complete control of the machine once a game crashed because of a prepared savegame, including complete control of the hard disk and the possibility of booting another operating system. ==== #3: Combinations of Weaknesses ==== Be aware of the fact that a combination of security flaws can lead to a successful attack. Don't think that a possible security hole (or "only" a security risk) cannot be exploited because there are so many barriers in front of it. Attackers might break all the other barriers that block the vulnerability, and fixing that one hole would have stopped them. MechInstaller is a great example for that. It was only possible because of the combination of several security weaknesses: * The boot process was vulnerable, so we could use a modified kernel to analyze games. * Some games are not careful enough with savegames, so that we can run our own code. * Games run in kernel mode, so we have full control of the hardware. * The Dashboard does not verify the integrity of the font files. * The Dashboard has a vulnerability in the font code. If any of these weaknesses had not been there, then MechInstaller would not have been possible. Also note that hackers have enough fantasy to find out these combinations. ==== #4: Hackers' Resources ==== Understand that hackers may have excellent resources. Hobbyists may use resources from work or from university, and professional attackers can also be very well-equipped. It is a big mistake to underestimate them. So never think you are safe because it would be too much work or too expensive to exploit a weakness. If it is a weakness, it will eventually be exploited. Also understand that hackers may have excellent human resources. Not only in number, but also in qualifications. Microsoft put the secret ROM into the Southbridge instead of the CPU, which meant that the secret key would travel over a visible bus. This is the very fast HyperTransport bus, which, at that time, could not be sniffed using logic analyzers any mortal could afford. But with help of the resources of the MIT and using all of his expertise, bunnie could build his own hardware that could sniff the bus. ==== #5: Barriers and Obstacles ==== Don't make anything "harder for hackers". Instead make it "impossible for hackers", or, if it cannot be made impossible, don't care about it. Because of the potential great number and excellent qualifications of hackers, no obstacle will have any effect or slow down hacking significantly. But instead, in security design, you might make mistake #3, because you think you are safe as there are so many obstacles in the hackers' way. Use the resources you would invest into building obstacles into building or strengthening barriers instead - possibly at a different location. Microsoft built obstacles into the system at many different locations. * Savegames will only be accepted if they are signed, but the private key is of course stored inside the game, so this is no barrier. Instead, they should have made sure the games contain no buffer vulnerabilities in their savegame handlers. * The hard disk is secured with an ATA password, different for every Xbox and stored on an EEPROM inside the Xbox, but an attacker can just "hotswap" an unlocked hard disk from a running Xbox to a running PC. Instead, they should have put that energy into verifying whether the Dashboard really hashes all data it reads from the hard disk. * The 512 bytes of security startup code were embedded in a custom chip to make it hard to sniff. Instead, they should have made sure that there are no bugs in that security code. ==== #6: Hacker Groups ==== Don't use one security system for different purposes, or else attackers with very different goals will jointly attack it, being a lot more effective. Instead, try to find out who your enemies really are and what they want, and design your security system so that every group gets as much of what they want so that it does not hurt you. There were three possible goals for Xbox hackers: Run Linux and use it as a computer, run homebrew software like media players and emulators, and run copies. Although there were some overlaps between Linux and homebrew people, as well as between homebrew people and people interested in copies, these were essentially three very different groups. Because they were all locked out by the same protection, they worked together, either explicitly, or implicitly, by using the results of each other. No Linux hackers ever attacked the Playstation. When you are fair, people don't fight you. ==== #7: Security by Obscurity ==== Security by obscurity does not work. Well-proven algorithms like SHA-1 and RSA work (of course given your implementation is well-proven as well). Microsoft hid the secret ROM, the Windows kernel, the game DVD contents (no way to read them on a standard DVD drive) and the hard disk contents using different methods. None had any effect. Also see #5. ==== #8: Fixes ==== When your security system has been broken, don't release quick fixes, for two reasons: Your fixes may be flawed and may not actually correct the problem, and even worse holes may be found not much later, which you must fix again - and ship yet another version. Instead, every time a security vulnerability is found, audit your complete security system and search for similar bugs, as well as other bugs in the same part of the system, based on the knowledge you gained from the successful hack. Microsoft failed to correct the hash problem in the second version of the secret ROM, and didn't fix the visor vulnerability, which was found just weeks later. After trashing thousands of already manufactured v1.0 Southbridge chips, which was very expensive, they decided not to update the Southbridge a second time. Another example is the dashboard odyssey: Instead of blacklisting the vulnerable executables at a time, they released three updates, none of which was effective. === Implementation === ==== #9: Data Sheets ==== Know everything about the components you use. Do read data sheets. Be very careful with components that have legacy functionality. Microsoft did not notice the A20# legacy functionality as a security risk. It seems that they did not completely analyze the functionality of the Pentium III Celeron, or else they should have noticed. They also apparently did not read the Pentium programmers' manual, or else they would have noticed that Intel CPUs do not panic on a FFFFFFFF/00000000 wraparound. ==== #10: Literature ==== Read (at least!) standard literature. If you are dealing with cryptography, this means you have to read at last Schneier's "Applied Cryptography". Microsoft's engineers did not know that TEA must not be used as a hash, and that RC4 does not feed the decrypted stream back into the key stream. ==== #11: Pros ==== Get experienced professionals to work on your security system, both on the design and the implementation. If it's a money issue, see #1. Looking at mistakes #9 and #10, it seems very probable that at least some of Microsoft's engineers had no prior experience with cryptography or the design of a security system. We also know that people on an internship were working on Xbox security. ==== #12: Completeness ==== Check whether your security code catches all cases. If it does not, you did not only waste time implementing all of it, but you may also give hints to hackers: If there are many checks at one point of the code, it looks a lot like code that is relevant for security and an attacker can check whether all cases are caught. Microsoft made this mistake twice: The xcode interpreter tests for the secret ROM turnoff code, and doesn't catch all cases. And the Dashboard hashes all files it is going to read, except for two. This gave us the ideas where to attack. ==== #13: Leftovers ==== Look at the final product from the perspective of a hacker. Hexdump and disassemble your final builds. There could be leftovers! The Xbox flash memory image contained an old version of the secret ROM, giving us not only hints about the contents of the actual secret ROM, but also an insight into what Microsoft planned and why some mistakes have been made. ==== #14: Final Test ==== Test your security system when you have the final parts and with the final software components in place. Changing something may very well open holes somewhere else. When you change something, rethink the complete system, and check all assumptions that you made. The visor hack was only possible because Microsoft failed to adapt their security system, designed for the AMD CPU, to the Intel CPU. The "hash" in the secret ROM had no effect because they changed RC5 to RC4 without thinking about the implications. === Policies === ==== #15: Source ==== Keep your source safe. Find engineers you can trust. The complete Xbox source code has leaked, including the kernel and libraries source. Groups interested in copies could easily modify it to support running games from hard disk, support for hard disks bigger than 137 GB, custom boot logos etc. This had been previously done by patching the binary. ==== #16: Many People ==== Have many good people have a look at both your design and your implementation. Keeping your source code safe means having engineers you can trust, and not letting none of your engineers see the source code. As stated at #7, your system should not rely on the source code being safe. Unless you did #7 completely wrong, a bug in the security system is typically a lot worse than a leak of the source code. It seems a lot like very few people have actually seen the Xbox security code. ==== #17: Talk ==== Know your enemy - and talk to them. They are not terrorists that you are not supposed to negotiate with. Their intent is not to harm you but to reach their goals. Working on their goals on their own might harm you indirectly, because the hackers may not care about the same things as you do. Seek the contact to hackers, know what they are doing and have them inform you about a vulnerability before publishing it. Make them know your position and why they should respect it, but also respect their position. Offer them to loosen the security system for what they want in exchange for the non-disclosure of their findings. Microsoft refused to talk about the savegame and font vulnerabilities. If we had been bad hackers, we could have released both of them as-is, immediately making it possible to run copies on Xboxes without the use of a modchip. Instead, we sought contact to Microsoft: We would have preferred to see a backdoor for Linux in the Xbox security system, instead of a solution based on our findings that would allow running copies. But as they refused to talk, we were forced to release the exploits, and they were lucky we heavily obfuscated our solutions so in order to slow down people interested in using it for copies. == Conclusion == The security system of the Xbox has been a complete failure. 3959fd9abd9ca7e8c01e93c61ee92bfc4404bebd 6 4001 6891 2020-11-21T05:48:07Z Redherring32 2513 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 4002 6892 2020-11-21T05:50:59Z Redherring32 2513 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 4003 6893 2020-11-21T05:53:34Z Redherring32 2513 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 3675 6894 6751 2020-11-21T06:15:52Z Redherring32 2513 Added details and images regarding XGPU revisions wikitext text/x-wiki The NV2A is the northbridge of the chipset, as well as the GPU. [[File:XGPU.JPG|thumb|200px|XGPU (1.0)]] [[File:XGPU-S.JPG|thumb|200px|XGPU S (1.1-1.4)]] [[File:XGPU-B.JPG|thumb|200px|XGPU-B (1.6)]] == GPU == The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]: {| class="wikitable" ! Code name !! Official Name |- |NV20 || GeForce3 (Ti)<br>Quadro DCC |- |NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL |- |NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL |- |NV2A || Xbox GPU |} == Known Revisions== There are 3 known revisions of the Xbox GPU (XGPU), and they are as follows. XGPU - Found on boards of revision 1.0<br>XGPU S - Found on boards of revision 1.1-1.4<br>XGPU-B - Found on boards of revision 1.6 There is very little known about the difference between the revisions, or why there had to be consecutive revisions.<br>It is unknown if they are pin compatible with each other. == Notes == * [https://web.archive.org/web/20031004105935/http://developer.nvidia.com:80/object/nv30_emulation.html NV30 information and emulator] * [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf List of implemented GL extensions for NV10-NV30: "NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)", 13 Nov. 2006] [[Category:NV2A]] e024ab76e7d31250cc035f335ff4fc6ef646cda6 0 1 6896 6847 2021-01-28T13:02:06Z Dracc 2502 wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 4064eeae7d0dabc5d4dfe4ffbd5d899d1ce49be4 0 11 6899 6898 2021-03-03T16:18:26Z RadWolfie 2528 fix format and add youtube reviewer link wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick **: '''List of known devices in existence<nowiki>:</nowiki>''' *** Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan *** Street Fighter 15th Anniversary Edition Arcade Stick *** Gamester Xbox Arcade Stick *** Nuby Xbox Fighter Arcade Stick *** Nuby Xbox Arcade Super Stick ***: Item#<nowiki>:</nowiki>36020 *** Naki Ultimate Fighting Stick ***: [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 2b3df0fc9834c0e7e4d8393ed18a2e86f55739e4 6900 6899 2021-03-03T16:31:21Z RadWolfie 2528 add Arcade Stick section to document device existence wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick **: '''List of known devices in existence<nowiki>:</nowiki>''' *** Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan *** Street Fighter 15th Anniversary Edition Arcade Stick *** Gamester Xbox Arcade Stick *** Nuby Xbox Fighter Arcade Stick *** Nuby Xbox Arcade Super Stick ***: Item#<nowiki>:</nowiki>36020 *** Naki Ultimate Fighting Stick ***: [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] f41a3b459a48af7ea60a26d4dc6dcdc047b98aa5 6901 6900 2021-03-03T16:33:19Z RadWolfie 2528 remove list from bSubtype since already moved into its own section wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 025ff9e81852cfa10d48b9dd4c45cba356016d25 6903 6901 2021-03-15T06:30:22Z Ryzee119 2519 Add IR dongle XID descriptor wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] ac872a4d78244c4b5b10cbe56bb7e723d7e00947 6904 6903 2021-03-15T06:32:41Z Ryzee119 2519 Add Xbox DVD Movie Playback IR dongle XID summary wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType:3 ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 4ef79ff5e136bcbd816467e75b2773952948d1a1 6905 6904 2021-03-15T06:33:30Z Ryzee119 2519 /* bType = 128: Steel Battalion */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType:3 ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> ====== Example XID reports ====== This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 6dfc5745c0bc9cbb4a2421a280e28ba725d9bece 6906 6905 2021-03-15T06:34:35Z Ryzee119 2519 /* Example XID reports */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType:3 ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 010915291aecc34067984c06705bab671c99761c 6907 6906 2021-03-15T06:34:58Z Ryzee119 2519 /* bType = 128: Steel Battalion */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType:3 ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 ====== Example XID reports ====== This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 08d5979e73276ce3a072b404fd6dc95c7b1b6712 6908 6907 2021-03-15T06:35:29Z Ryzee119 2519 /* bType = 3: Xbox DVD Movie Playback IR Dongle */ wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType: ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 ====== Example XID reports ====== This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] bca981ffd9485174e2984c83c47363c714aa5a1b 6909 6908 2021-03-15T21:35:44Z DiscoStarslayer 2509 Add microphone descriptors wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType: ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 ====== Example XID reports ====== This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Microphones == === Xbox Communicator === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x002d bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> === Xbox Karaoke === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0501 bcdDevice 1.00 iManufacturer 1 Licensed 3PP Vendor iProduct 2 Karaoke Microphone Module iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x001b bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 121 bInterfaceSubClass 1 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0060 1x 96 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 05d6e368b26124e796dfa6521cdb795cc2bf39fb 6943 6909 2021-05-18T09:55:58Z Ryzee119 2519 bMaxOutputReportSize in xremote xid desc added wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType: ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 ====== Example XID reports ====== This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) bMaxOutputReportSize 0x00 (0 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Microphones == === Xbox Communicator === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x002d bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> === Xbox Karaoke === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0501 bcdDevice 1.00 iManufacturer 1 Licensed 3PP Vendor iProduct 2 Karaoke Microphone Module iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x001b bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 121 bInterfaceSubClass 1 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0060 1x 96 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 974396f3a57d3eee8471ef6d48aefb49ef1a550f 0 3768 6902 6806 2021-03-13T03:40:27Z Ryzee119 2519 Add IR remote info wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote) // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed. The keycodes read from an official Microsoft IR remote are as follows: {| class="wikitable" !Button !data_low !data_high |- |INFO |0xC3 |0x0A |- |9 |0xC6 |0x0A |- |8 |0xC7 |0x0A |- |7 |0xC8 |0x0A |- |6 |0xC9 |0x0A |- |5 |0xCA |0x0A |- |4 |0xCB |0x0A |- |3 |0xCC |0x0A |- |2 |0xCD |0x0A |- |1 |0xCE |0x0A |- |0 |0xCF |0x0A |- |SELECT |0x0B |0x0A |- |UP |0xA6 |0x0A |- |DOWN |0xA7 |0x0A |- |RIGHT |0xA8 |0x0A |- |LEFT |0xA9 |0x0A |- |STOP |0xE0 |0x0A |- |REVERSE |0xE2 |0x0A |- |FORWARD |0xE3 |0x0A |- |TITLE |0xE5 |0x0A |- |PAUSE |0xE6 |0x0A |- |PLAY |0xEA |0x0A |- |POWER |0xD5 |0x0A |- |BACK |0xD8 |0x0A |- |SKIP- |0xDD |0x0A |- |SKIP+ |0xDF |0x0A |- |MENU |0xF7 |0x0A |- |} ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 5dc36b1556ec46325ba7509f4707d9f19cd8735d 6945 6902 2021-05-20T07:28:41Z Ryzee119 2519 Added USB descriptor wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |} === USB Protocol === ==== USB Descriptor ==== <pre> Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0284 Xbox DVD Playback Kit bcdDevice 0.0a iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0022 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x00 (Missing must-be-set bit!) (Bus Powered) MaxPower 0mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 89 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 </pre> ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote) // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed. The keycodes read from an official Microsoft IR remote are as follows: {| class="wikitable" !Button !data_low !data_high |- |INFO |0xC3 |0x0A |- |9 |0xC6 |0x0A |- |8 |0xC7 |0x0A |- |7 |0xC8 |0x0A |- |6 |0xC9 |0x0A |- |5 |0xCA |0x0A |- |4 |0xCB |0x0A |- |3 |0xCC |0x0A |- |2 |0xCD |0x0A |- |1 |0xCE |0x0A |- |0 |0xCF |0x0A |- |SELECT |0x0B |0x0A |- |UP |0xA6 |0x0A |- |DOWN |0xA7 |0x0A |- |RIGHT |0xA8 |0x0A |- |LEFT |0xA9 |0x0A |- |STOP |0xE0 |0x0A |- |REVERSE |0xE2 |0x0A |- |FORWARD |0xE3 |0x0A |- |TITLE |0xE5 |0x0A |- |PAUSE |0xE6 |0x0A |- |PLAY |0xEA |0x0A |- |POWER |0xD5 |0x0A |- |BACK |0xD8 |0x0A |- |SKIP- |0xDD |0x0A |- |SKIP+ |0xDF |0x0A |- |MENU |0xF7 |0x0A |- |} ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] c694382b515434db7f7a692fd7714642afba090f 6946 6945 2021-05-20T09:27:51Z Ryzee119 2519 Add some DVD dongle SHAs (Found in Australia) wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |- | X08-25597 || Indonesia || 1.1 || 4 || 229790 Bytes || <code>1E6D7F4F526B56527447AA09EDA41FFF05665A16</code> || |- | X08-96288-002 || Indonesia || 1.1 || 3 || 229790 Bytes || <code>0447373BF9326DFF95808CD028ED19FACD54C759</code> || |} === USB Protocol === ==== USB Descriptor ==== <pre> Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0284 Xbox DVD Playback Kit bcdDevice 0.0a iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0022 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x00 (Missing must-be-set bit!) (Bus Powered) MaxPower 0mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 89 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 </pre> ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote) // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed. The keycodes read from an official Microsoft IR remote are as follows: {| class="wikitable" !Button !data_low !data_high |- |INFO |0xC3 |0x0A |- |9 |0xC6 |0x0A |- |8 |0xC7 |0x0A |- |7 |0xC8 |0x0A |- |6 |0xC9 |0x0A |- |5 |0xCA |0x0A |- |4 |0xCB |0x0A |- |3 |0xCC |0x0A |- |2 |0xCD |0x0A |- |1 |0xCE |0x0A |- |0 |0xCF |0x0A |- |SELECT |0x0B |0x0A |- |UP |0xA6 |0x0A |- |DOWN |0xA7 |0x0A |- |RIGHT |0xA8 |0x0A |- |LEFT |0xA9 |0x0A |- |STOP |0xE0 |0x0A |- |REVERSE |0xE2 |0x0A |- |FORWARD |0xE3 |0x0A |- |TITLE |0xE5 |0x0A |- |PAUSE |0xE6 |0x0A |- |PLAY |0xEA |0x0A |- |POWER |0xD5 |0x0A |- |BACK |0xD8 |0x0A |- |SKIP- |0xDD |0x0A |- |SKIP+ |0xDF |0x0A |- |MENU |0xF7 |0x0A |- |} ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}} === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] d5a6caac605b7c957d97bcaab37297a2cdb85de3 0 3766 6910 6351 2021-03-19T07:59:32Z Ryzee119 2519 Added Focus and Xcalibur SMBus addresses wikitext text/x-wiki Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connected through an I²C/SMbus interface. I²C/SMBus is a slow low-cost serial bus with each device having a unique 7-bit ID. (Wikipedia has informative articles about [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/I2c I²C] and [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/SMBus SMBus], you might want to check them out.) There are only two operations of an SMBus controller: write and read. Writing means that an 8 bit command code and an 8 or 16 bit operand are sent to an SMBus device. Reading means that an 8 bit command code is sent to the device and an 8 or 16 bit answer is expected. The controller for the SMBus interface in the Xbox is a PCI device with the DevID 01B4 and it is built into MPCX southbridge. It supports bus arbitration and the Xbox kernel will retry transactions if a collision occurs. This means it is safe to use a second SMBus master (like a USB-SMBus adapter) while the Xbox is running ''as long as the second master also supports arbitration''. Adapters based on the Silicon Labs CP2112 or Microchip MCP2221 chips will work, for example. ==SMBus Controller Port Layout== {| class="wikitable" |- ! Port !! Description |- | 0xC000 | '''Status''' * bit 0: abort * bit 1: collision * bit 2: protocol error * bit 3: busy * bit 4: cycle complete * bit 5: timeout |- | 0xC002 | '''Control''' * bit 2-0: cycle type * bit 3: start * bit 4: enable interrupt * bit 5: abort |- | 0xC004 | '''Address''' |- | 0xC006 | '''Data''' |- | 0xC008 | '''Command''' |} This is very similar (but not identical) to the AMD756/AMD766/AMD768 SMBus controllers. The [https://web.archive.org/web/20100617015507/http://www.lm-sensors.nu/ lm_sensors project] includes GPLed Linux kernel code for it since version 2.6.4 (kernel/busses/i2c-amd756.c). ==SMBus Controller Programming== The following two routines illustrate how to read and write data from and to an SMBus device: <pre> int SMBusWriteCommand(unsigned char slave, unsigned char command, int isWord, unsigned short data) { again: _outp(0xc004, (slave&lt;&lt;1)&amp;0xfe); _outp(0xc008, command); _outpw(0xc006, data); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ return 1; } </pre> <pre> int SMBusReadCommand(unsigned char slave, unsigned char command, int isWord, unsigned short *data) { again: _outp(0xc004, (slave&lt;&lt;1)|0x01); _outp(0xc008, command); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ *data = _inpw(0xc006); return 1; } </pre> <br /> To avoid busy waiting of the CPU, the SMBus controller can also issue an interrupt when the operation is complete, by setting bit #4 in the control port when initiating the transfer. ==Xbox SMBus Devices== The following four devices are connected to the Xbox SMBus: {| class="wikitable" |- | '''Device''' | '''Hardware Address''' | '''Software Address''' |- | PIC16LC | 0x10 | 0x20 |- | ADM1032 System Temperature Monitor (Not on v1.6 Xboxes) | 0x4c | 0x98 |- | Serial EEPROM | 0x54 | 0xa8 |- | Conexant CX25871 Video Encoder (Not on all Xbox revisions) | 0x45 | 0x8a |- | Focus FS454 Video Encoder (v1.4/1.5 Xboxes only) | 0x68 | 0xD4 |- | Microsoft Xcalibur Video Encoder (v1.6 Xboxes only) | 0x70 | 0xE0 |} Do not confuse the hardware with the software addresses: The software ID is the hardware ID shifted by one bit left. The code above expects the hardware ID. Actually, these addresses are not literally accurate; you find that the hardware address is 0x54 for the EEPROM: the actual address of the EEPROM on the i2c bus is 1010 (0xa), however, you will also notice that 0x54 is '''1010'''100 in binary, and it seems that this 100 is also appended onto the other devices as well (although their software address is naturally read as say '''1010'''1000 - obviously because of the left shifting, however, it could be speculated that it would be possible to communicate with devices over the SMBus that are connected via i2c, so long as you knew their base address. e7f35cfda52427bdad14adefed1c262faf3ea2ed 6911 6910 2021-03-19T08:00:45Z Ryzee119 2519 Add Focus and Xcalibur SMBus addresses wikitext text/x-wiki Retreived from http://www.xbox-linux.org/wiki/SMBus_Controller by ''Michael Steil'' (original version: 15/26 June 2002) All non-PC components of the Xbox console are connected through an I²C/SMbus interface. I²C/SMBus is a slow low-cost serial bus with each device having a unique 7-bit ID. (Wikipedia has informative articles about [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/I2c I²C] and [https://web.archive.org/web/20100617015507/http://en.wikipedia.org/wiki/SMBus SMBus], you might want to check them out.) There are only two operations of an SMBus controller: write and read. Writing means that an 8 bit command code and an 8 or 16 bit operand are sent to an SMBus device. Reading means that an 8 bit command code is sent to the device and an 8 or 16 bit answer is expected. The controller for the SMBus interface in the Xbox is a PCI device with the DevID 01B4 and it is built into MPCX southbridge. It supports bus arbitration and the Xbox kernel will retry transactions if a collision occurs. This means it is safe to use a second SMBus master (like a USB-SMBus adapter) while the Xbox is running ''as long as the second master also supports arbitration''. Adapters based on the Silicon Labs CP2112 or Microchip MCP2221 chips will work, for example. ==SMBus Controller Port Layout== {| class="wikitable" |- ! Port !! Description |- | 0xC000 | '''Status''' * bit 0: abort * bit 1: collision * bit 2: protocol error * bit 3: busy * bit 4: cycle complete * bit 5: timeout |- | 0xC002 | '''Control''' * bit 2-0: cycle type * bit 3: start * bit 4: enable interrupt * bit 5: abort |- | 0xC004 | '''Address''' |- | 0xC006 | '''Data''' |- | 0xC008 | '''Command''' |} This is very similar (but not identical) to the AMD756/AMD766/AMD768 SMBus controllers. The [https://web.archive.org/web/20100617015507/http://www.lm-sensors.nu/ lm_sensors project] includes GPLed Linux kernel code for it since version 2.6.4 (kernel/busses/i2c-amd756.c). ==SMBus Controller Programming== The following two routines illustrate how to read and write data from and to an SMBus device: <pre> int SMBusWriteCommand(unsigned char slave, unsigned char command, int isWord, unsigned short data) { again: _outp(0xc004, (slave&lt;&lt;1)&amp;0xfe); _outp(0xc008, command); _outpw(0xc006, data); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ return 1; } </pre> <pre> int SMBusReadCommand(unsigned char slave, unsigned char command, int isWord, unsigned short *data) { again: _outp(0xc004, (slave&lt;&lt;1)|0x01); _outp(0xc008, command); _outpw(0xc000, _inpw(0xc000)); _outp(0xc002, (isWord)&nbsp;? 0x0b&nbsp;: 0x0a); while ((_inp(0xc000) &amp; 8)); /* wait while busy */ if (_inp(0xc000) &amp; 0x02) goto again; /* retry transmission */ if (_inp(0xc000) &amp; 0x34) return 0; /* fatal error */ *data = _inpw(0xc006); return 1; } </pre> <br /> To avoid busy waiting of the CPU, the SMBus controller can also issue an interrupt when the operation is complete, by setting bit #4 in the control port when initiating the transfer. ==Xbox SMBus Devices== The following four devices are connected to the Xbox SMBus: {| class="wikitable" |- | '''Device''' | '''Hardware Address''' | '''Software Address''' |- | PIC16LC | 0x10 | 0x20 |- | ADM1032 System Temperature Monitor (Not on v1.6 Xboxes) | 0x4c | 0x98 |- | Serial EEPROM | 0x54 | 0xa8 |- | Conexant CX25871 Video Encoder (Not on all Xbox revisions) | 0x45 | 0x8a |- | Focus FS454 Video Encoder (v1.4/1.5 Xboxes only) | 0x6A | 0xD4 |- | Microsoft Xcalibur Video Encoder (v1.6 Xboxes only) | 0x70 | 0xE0 |} Do not confuse the hardware with the software addresses: The software ID is the hardware ID shifted by one bit left. The code above expects the hardware ID. Actually, these addresses are not literally accurate; you find that the hardware address is 0x54 for the EEPROM: the actual address of the EEPROM on the i2c bus is 1010 (0xa), however, you will also notice that 0x54 is '''1010'''100 in binary, and it seems that this 100 is also appended onto the other devices as well (although their software address is naturally read as say '''1010'''1000 - obviously because of the left shifting, however, it could be speculated that it would be possible to communicate with devices over the SMBus that are connected via i2c, so long as you knew their base address. f221255046e04fd61309b8ac190d50bfddb65dda 0 4004 6912 2021-03-20T14:01:31Z Billy549 2520 Add Connection Test page wikitext text/x-wiki The network settings screen on the Xbox Dashboard will perform a connection test to Xbox Live when a user edits settings, to ensure that it can still connect to the Internet. If the user has not connected to Xbox Live before, this will be where the Xbox first connects to create a Machine Account via MACS (Machine Account Creation Service). Then, it will use this account to authenticate the machine and perform a ping test as well as a speed test on dashes before 5960(? double check if this was the first dash to change behaviour). === Extra Info === Pressing Y once the connection test has finished will show some extra info, and on 5960 dash and later will also perform an MTU test(? plaintext in the packet says MTU test) using the domain XXXXX.XBOXLIVE.COM (which the 360 also uses) === Packet Log === Pressing the Black button on the controller once the connection test has finished will save a packet log to the hard drive as a save [FIXME: add more info] - [https://github.com/insignia-live/xbcap2pcap xbcap2pcap] can convert this DAT file into a standard PCAP. The DAT's structure is as follows: <pre> uint32_t total packet length uint32_t timestamp in ms total packet length - 8 bytes of Ethernet packet data </pre> 6c151cc78f53d8e074a9502361e096e6f5385d67 6920 6912 2021-03-25T22:00:57Z Billy549 2520 Add information about the second page from XBL's old page wikitext text/x-wiki The network settings screen on the Xbox Dashboard will perform a connection test to Xbox Live when a user edits settings, to ensure that it can still connect to the Internet. If the user has not connected to Xbox Live before, this will be where the Xbox first connects to create a Machine Account via MACS (Machine Account Creation Service). Then, it will use this account to authenticate the machine and perform a ping test as well as a speed test on dashes before 5960(? double check if this was the first dash to change behaviour). === Extra Info === Pressing Y once the connection test has finished will show some extra info; Pressing A on 5960 or later will perform another test using <pre>xds.xboxlive.com</pre> - this server is still up (CNAME'd to xds.gtm.xboxlive.com, IP 65.55.42.21). This will then return three more results: MT - MTU test, if 1 your MTU is 1365+ and works with Xbox Live, if 0 then <1365 IC - ICMP test, if 1 your router is properly forwarding ICMP, if 0 then not NT - NAT test, where 1 is open, 2 is moderate, and 3 is strict. This info is from [https://web.archive.org/web/20040621040049/http://www.xbox.com/en-US/live/connect/Diagnosing.htm Xbox Live's archived diagnostics page] === Packet Log === Pressing the Black button on the controller once the connection test has finished will save a packet log to the hard drive as a save [FIXME: add more info] - [https://github.com/insignia-live/xbcap2pcap xbcap2pcap] can convert this DAT file into a standard PCAP. The DAT's structure is as follows: <pre> uint32_t total packet length uint32_t timestamp in ms total packet length - 8 bytes of Ethernet packet data </pre> e8082c94b5d75a962bf31b3f33971efe39dd735f 0 1 6913 6896 2021-03-20T14:03:07Z Billy549 2520 /* Development Kits and Tools */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] d1e035f0dd2b0677784d0434f27021822073237c 6916 6913 2021-03-20T14:13:02Z Billy549 2520 wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] eaaa1cf167be83a42699cb753dbcbed481c2f5ec 6923 6916 2021-05-02T23:41:41Z Mason 2530 Adding new pages for xbox emulators wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XEMU]] ** [[CXBX-R]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 3604016bc666155fd3d981fcd2b61e4e6d27bd67 6926 6923 2021-05-03T00:00:36Z Mason 2530 /* Development Kits and Tools */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] * [[Insignia]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XEMU]] ** [[CXBX-R]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 016ce6d5bad0df05a5e333583276e1b600bc4721 6932 6926 2021-05-03T07:29:08Z Mason 2530 /* Development Kits and Tools */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XEMU]] ** [[CXBX-R]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 3604016bc666155fd3d981fcd2b61e4e6d27bd67 6933 6932 2021-05-11T13:28:44Z Espes 2484 /* Emulation */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[XEMU]] ** [[Cxbx-Reloaded]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] 75e4d0f37a8ca67f2954208f88348bcb9d072cc7 6935 6933 2021-05-11T13:46:02Z Espes 2484 /* Emulation */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[Xemu|xemu]] ** [[Cxbx-Reloaded]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] a8682ce8173b30093610ce9f1740aec7a234cd54 0 4005 6914 2021-03-20T14:12:34Z Billy549 2520 Create Machine Account page wikitext text/x-wiki All Xboxes that communicate on Xbox Live will have a Machine Account - == Machine Account Creation Service == The first time an Xbox connects to Xbox Live from the factory, it'll connect to MACS.XBOXLIVE.COM and use a pre-shared key based from the Online Key, HDD Key, and a unique key present in all Xbox Live binaries. The server will either return an error message, or return a valid machine account for future authentication. {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} 606be6ca4ee8d729d8ed0b268b51d68fef868eed 6917 6914 2021-03-20T14:14:05Z Billy549 2520 wikitext text/x-wiki All Xboxes that communicate on Xbox Live will have a Machine Account - it's generated the first time a user performs a connection test from the factory on an Xbox Live dashboard (4920 or later). == Machine Account Creation Service == The first time an Xbox connects to Xbox Live from the factory, it'll connect to MACS.XBOXLIVE.COM and use a pre-shared key based from the Online Key, HDD Key, and a unique key present in all Xbox Live binaries. The server will either return an error message, or return a valid machine account for future authentication. {| class="wikitable" |+Xbox PA-DATA |- ! padata-type ! description |- |131 | ? |- |204 | ? |- |206 | Information about Xbox Version, Title, and Title version |} 3f6f36579ebc2f8b72ed49e008e6d0363a0a4854 0 3693 6915 6885 2021-03-20T14:12:43Z Billy549 2520 wikitext text/x-wiki Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. The Xbox Live architecture consists of Kerberos-based authentication tickets, with a Secure Gateway used to then access services (such as Matchmaking, Statistics/Leaderboards, and custom game servers) Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customisations for the Xbox. When an Xbox first connects, the server gives it a [[Xbox Live/Machine Account|Machine Account]] which it uses to access the service; this machine account is always sent, but it can only be used alone to access UACS (User Account Creation Service) to create a user account - with both a machine account and user account, all other services are accessible. === XDK Functions === {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. It will return XONLINETASK_S_RUNNING while the login process has not been completed. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) |Will return XONLINE_S_LOGON_CONNECTION_ESTABLISHED when the task is successfully completed. Otherwise it will return an error code. |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |} == Discontinuation of service == The service was officially discontinued on April 15th, 2010. 12 players decided to stay in a lobby of ''Halo 2'' 24/7 to keep a server running. The final player, Apache N4SIR was streaming the entire event, as the player count of 12 twindeled down to just him. At 11:40 PM PDT, on May 11th 2010, Apache N4SIR was booted from the game[http://i.imgur.com/oQw6k5H.jpg]. a86d06b304a92946dde78d05412fa04f9026bb97 0 3751 6918 6858 2021-03-23T17:09:50Z Derf 2525 /* Attack ideas */ wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-ROM. The XBE extracts the actual game XBE (which is signed to run from HDD) onto the cache drives. If we can find a vulnerability in one of them (loaded files), we could possibly take over the entire system and run a softmod from DVD+R. In order to make a bootable DVD+R, you must have a DVD burner that - either natively, or by custom firmware - can set booktype to DVD-ROM. From a small sample size, it appears that the drive must also be capable of setting the layertype on the disc to "read-only", which is a very rarely used security feature apparently only present for Xbox, Xbox 360, and an Audi navigation system. Layertype is a rather unknown thing, and it appears DVD burners were accidentally set with this from factory, but regular burner drives could potentially have the layertype modified using custom firmware (as the Burnermax payload does for dual layer DVDs). |- |'''Hulk (Special Edition)''' UPC 2519224892 [[The Hulk]] This DVD is unique and contains a partial dashboard (5860 with 4831 libraries) with an xboxdash.xbe signed to run from DVD-ROM. The default.xbe calls this dashboard XBE with parameters to play a video on the disc. By swapping this XBE with the default.xbe, you can boot the dashboard to a blank sphere. By placing dashboard 4920's mainmenu5.xip in the xboxdash folder, you can restore the orb and menu options, but selecting an option will show a blank sphere after the zoom animation. All xips are loaded from DVD and are hash checked. Font/audio files are loaded from HDD and hash checked. Aside from xboxdash.xbe, default.xbe will load video_ts.ifo and an audio file from disc, so a vulnerability could be found in those. Requires a DVD+R burned with booktype DVD-ROM and the DVD drive must support layertype "read only" which is a firmware feature in a very small handful of DVD burners. Untested |- |'''Star Wars: Clone Wars - Volume One''' UPC 2454317005 [[Republic Commando]] Untested |- |'''Star Wars: Clone Wars - Volume Two''' UPC 24543214137 [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' UPC 5039036023238 [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' UPC 24543123415 or 5039036017374 [[Star Wars Battlefront]] Untested |- |'''Star Wars Trilogy DVD (Widescreen theatrical edition)''' UPC 24543559856 [[Lego Star Wars 2]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' UPC 5050582274639 [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' UPC 25192031229 [[Doom 3]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' UPC 786936265262 [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' UPC 24543193845 [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' UPC 25192326622 or 25192586125 [[Van Helsing]] Untested |- |'''The Godfather''' UPC not 5014437812834 nor 14633165401 nor 014633165401 SPPV and Atreyu187 claim this exists and contains an XBE capable of chainloading any signed game XBE. No evidence exists of this actually existing on the DVD or game bonus disc, but it is listed here for posterity. [[The Godfather: The Game]] |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 9dc3d4146fae774343cf97889f8edf441f69ff5b 6919 6918 2021-03-23T17:11:17Z Derf 2525 Undo revision 6918 by [[Special:Contributions/Derf|Derf]] ([[User talk:Derf|talk]]) wikitext text/x-wiki == MCPX == === LDT (Hypertransport) bus tap === See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox]. === Visor hack === Exploits incorrect rollover of memory address. === MIST hack === Exploits error in xcode interpreter security check. There are at least 2 variations of this hack. === A20M# hack === [[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]] Uses a legacy x86 feature. === RC4 attack (MCPX 1.0 only) === Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects. This can be used to take over the 2BL entry point. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''This attack is described by Michael Steil in his Google talk.'' === TEA attack (MCPX 1.1 only) === TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way. The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>. This is <code>jmp 0xffffd588</code> (which is a jump within the flash region). When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>. This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region). For the attack to be successful, the highest bit in the DWORD at 0xffffd404 also has to be flipped. The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken. As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM. When the attack happens, the MCPX ROM is still visible, making this a very powerful attack. ''The TEA algorithm and exploit are also described in more detail in Bunnie's book (Page 109 and Page 142).'' == Dashboard == === Audio hacks === === Font hacks === [http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit]. ==== Easter-egg exploit ==== == Savegames == Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf] === [[007: Agent Under Fire]] === [https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html Analysis of this savegame-exploit]. === [[Frogger Beyond]] === Not much is known why this game was in the list, [https://events.ccc.de/congress/2005/fahrplan/attachments/674-slides_xbox.pdf 22C3, page 85] The game isnt shown in the final presentation at 22C3 (neither are Mechassault nor SplinterCell). === [[MechAssault]] === === [[Tom Clancy's Splinter Cell]] === === [[Tony Hawk's Pro Skater 4]] === Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer another website talking about his exploit. [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] == Attack ideas == {| class="wikitable" ! Purpose || Author || Description || Status |- |Xbox DVD Movie Playback Kit Dongle ROM manipulation || Xbox-Linux wiki |As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security. | XBE loader seems to be secured, although no full analysis has been done. |- | Preserving memory across boot || JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |- | Early boot control || JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes. This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Schedule a reset * Keep reading MCPX ROM memory with CPU to persistent page * If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40). Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: * Map PCI devices over the MCPX ROM region * Check if NV2A can access the mapped PCI device * Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM) * If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover) | Concept only: No interest in experimenting with NV2A DMA. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots: * Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD) * Warm reset using SMC * Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example) * Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset * Code in lower region should copy MCPX ROM region to persisting pages | Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |- | Unknown || JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |- | Dumping the MCPX ROM || JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |- | Unknown || JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |- | Dumping the MCPX ROM || JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. | * AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out). * APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox. * OHCI: Untested * Others: Untested |- | Dumping Kernel INIT || JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |- | Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-09-12 |- | rowspan="13" | Homebrew entry point || rowspan="13" | Community | rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-ROM. The XBE extracts the actual game XBE (which is signed to run from HDD) onto the cache drives. If we can find a vulnerability in one of them (loaded files), we could possibly take over the entire system and run a softmod from DVD+R. In order to make a bootable DVD+R, you must have a DVD burner that - either natively, or by custom firmware - can set booktype to DVD-ROM. From a small sample size, it appears that the drive must also be capable of setting the layertype on the disc to "read-only", which is a very rarely used security feature apparently only present for Xbox, Xbox 360, and an Audi navigation system. Layertype is a rather unknown thing, and it appears DVD burners were accidentally set with this from factory, but regular burner drives could potentially have the layertype modified using custom firmware (as the Burnermax payload does for dual layer DVDs). |- |'''Hulk (Special Edition)''' UPC 2519224892 [[The Hulk]] This DVD is unique and contains a partial dashboard (5860 with 4831 libraries) with an xboxdash.xbe signed to run from DVD-ROM. The default.xbe calls this dashboard XBE with parameters to play a video on the disc. By swapping this XBE with the default.xbe, you can boot the dashboard to a blank sphere. By placing dashboard 4920's mainmenu5.xip in the xboxdash folder, you can restore the orb and menu options, but selecting an option will show a blank sphere after the zoom animation. All xips are loaded from DVD and are hash checked. Font/audio files are loaded from HDD and hash checked. Aside from xboxdash.xbe, default.xbe will load video_ts.ifo and an audio file from cdrom, so a vulnerability could be found in those. Untested |- |'''Star Wars: Clone Wars - Volume One''' UPC 2454317005 [[Republic Commando]] Untested |- |'''Star Wars: Clone Wars - Volume Two''' UPC 24543214137 [[Battlefront II]] Untested |- |'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)''' UPC 5039036023238 [[Battlefront II]] Untested |- |'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)''' UPC 24543123415 or 5039036017374 [[Star Wars Battlefront]] Untested |- |'''Star Wars Trilogy DVD (Widescreen theatrical edition)''' UPC 24543559856 [[Lego Star Wars 2]] Untested |- |'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)''' UPC 5050582274639 [[Chronicles of Riddick]] Untested |- |'''Doom (Unrated Widescreen Edition)''' UPC 25192031229 [[Doom 3]] Untested |- |'''King Arthur - The Director's Cut (Widescreen Edition)''' UPC 786936265262 [[King Arthur]] Untested |- |'''Robots (Widescreen Edition)''' UPC 24543193845 [[Robots]] Untested |- |'''Van Helsing (Widescreen Edition)''' UPC 25192326622 or 25192586125 [[Van Helsing]] Untested |- |'''The Godfather''' UPC not 5014437812834 nor 14633165401 nor 014633165401 SPPV and Atreyu187 claim this exists and contains an XBE capable of chainloading any signed game XBE. No evidence exists of this actually existing on the DVD or game bonus disc, but it is listed here for posterity. [[The Godfather: The Game]] |} == Notes == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] * [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations] 1fd369538fc6b59ed8f489b448743d32527c6278 0 4006 6921 2021-04-25T03:23:11Z Dumb 2529 Created page with "Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of tho..." wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | ? | ? | ? | ? | "1.2" | ? | ? | ? |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 461532733706 | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | ? | "Development Kit" | Y | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} fbb7a4f2a284891f15ed498547db40685f7d3bf7 6922 6921 2021-04-25T03:31:52Z Dumb 2529 wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | ? | ? | ? | ? | "1.2" | ? | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 461532733706 | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | ? | "Development Kit" | Y | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 8780e3cb75569dbb7ff3522d123a85f259593014 0 4007 6924 2021-05-02T23:51:40Z Mason 2530 Adding new pages for xbox emulators wikitext text/x-wiki xemu is a continuation of xqemu which is a low-level Xbox / Chihiro Emulator started in early 2020 by mborgerson[https://github.com/mborgerson/xemu]. The official homepage can be found at [https://xemu.app xemu.app] == Compatibility list == Compatibility list can be found by going [https://xemu.app here]. Most titles have marked as playable with some minor issues, some relating to performance or assert crashes that need to be fixed/implemented. == Features == Currently the features that are supported are Gamepad Support, System Link, Snapshots (Save States), and coming soon is Surface Scaling, which is available [https://github.com/mborgerson/xemu/tree/feat/surf-scale here]. 8a187333f11860ed4291b550994c457a2cbf590e 6928 6924 2021-05-03T00:07:08Z Mason 2530 wikitext text/x-wiki xemu is a continuation of xqemu which is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes[https://github.com/espes/xqemu/commit/d823f5802e7c4c84163aea8b4d924044951c705e]. xemu was started in early 2020 by mborgerson[https://github.com/mborgerson] The official homepage can be found at [https://xemu.app xemu.app] == Compatibility list == Compatibility list can be found by going [https://xemu.app here]. Most titles have marked as playable with some minor issues, some relating to performance or assert crashes that need to be fixed/implemented. == Features == Currently the features that are supported are Gamepad Support, System Link, Snapshots (Save States), and coming soon is Surface Scaling, which is available [https://github.com/mborgerson/xemu/tree/feat/surf-scale here]. 66492025f9dfacb0f91340a85fc09d8f0b315d67 6929 6928 2021-05-03T06:52:08Z Dracc 2502 wikitext text/x-wiki xemu is a continuation of xqemu which is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes[https://github.com/espes/xqemu/commit/d823f5802e7c4c84163aea8b4d924044951c705e]. xemu was started in early 2020 by mborgerson[https://github.com/mborgerson] The official homepage can be found at [https://xemu.app xemu.app] == Compatibility list == Compatibility list can be found at https://xemu.app/#compatibility. == Features == Currently the features that are supported are Gamepad Support, System Link, Snapshots (Save States). aad353a4a17d4ca378481ae92e2f7bec7a06f0a4 6930 6929 2021-05-03T06:52:33Z Dracc 2502 wikitext text/x-wiki xemu is a continuation of xqemu which is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes[https://github.com/espes/xqemu/commit/d823f5802e7c4c84163aea8b4d924044951c705e]. xemu was started in early 2020 by mborgerson[https://github.com/mborgerson] The official homepage is https://xemu.app == Compatibility list == Compatibility list can be found at https://xemu.app/#compatibility. == Features == Currently the features that are supported are Gamepad Support, System Link, Snapshots (Save States). d439019629686bd6dc32e098acbef2cfc7670900 6934 6930 2021-05-11T13:41:15Z Espes 2484 Espes moved page [[XEMU]] to [[Xemu]] without leaving a redirect wikitext text/x-wiki xemu is a continuation of xqemu which is a low-level Xbox / Chihiro Emulator started in mid-late 2012 by espes[https://github.com/espes/xqemu/commit/d823f5802e7c4c84163aea8b4d924044951c705e]. xemu was started in early 2020 by mborgerson[https://github.com/mborgerson] The official homepage is https://xemu.app == Compatibility list == Compatibility list can be found at https://xemu.app/#compatibility. == Features == Currently the features that are supported are Gamepad Support, System Link, Snapshots (Save States). d439019629686bd6dc32e098acbef2cfc7670900 0 4009 6927 2021-05-03T00:05:06Z Mason 2530 Created page with "Insignia is meant to serve as a replacement for Xbox Live 1.0 which shutdown April 15th, 2010. This project was created by Luke Usher[https://www.patreon.com/LukeUsher] You..." wikitext text/x-wiki Insignia is meant to serve as a replacement for Xbox Live 1.0 which shutdown April 15th, 2010. This project was created by Luke Usher[https://www.patreon.com/LukeUsher] You can find Insignia [https://discord.gg/CWkdVdc here] d6ea2db29b46d4c260bb37678b607b4741349a9d 0 3703 6936 6880 2021-05-11T13:46:32Z Espes 2484 wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[Xemu|xemu]] |[https://xemu.app/][https://github.com/mborgerson/xemu] |mborgerson |Windows/macOS/Linux | |xemu is a fork of XQEMU but more usable |- |{{Yes|Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Yes|Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[[Fusion]][http://michaelbrundage.com/project/xbox-360-emulator/] | |Microsoft |Xbox 360 |Proprietary | |- |{{Yes|Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |[[Fission]][http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. | |- |{{No|Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{No|Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Yes|Maintained}} |LLE/HLE Hybrid |{{No}} |StrikeBox |[https://github.com/StrikerX3/StrikeBox] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{No|Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{No|Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{No|Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{No|Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{No|Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 41dc40b12615cffcf9f605f09d7ed400dc20089a 0 3775 6937 5590 2021-05-11T14:26:44Z Billy549 2520 Add redirect to the new page. wikitext text/x-wiki #REDIRECT [[Manufacturing Process]] {{retrieved|https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process}} by ''Michael Steil'' There are many different Xboxes. Although they all look the same (except for the "Special Edition"), and all of them work with all games, they have been produced in three different factories and may contain different components. This article describes the "reverse-engineered" internals of Xbox manufacturing. ==The Serial Number== Every Xbox has a sticker on the bottom that looks like this: <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/serial-sticker.jpg" alt="serial-sticker.jpg" /> It contains the manufacturing date and the 12-digit serial number: <pre>1166356 20903 || | |||||__ || | ||||___ factory number || | |||____ || | ||_____ week of year (starting Mondays) || | |______ last digit of year || |________ ||_____________ number of Xbox within week and factory |______________ production line within factory </pre> <br /> Three factories have produced the Xbox. Mexico (Guadalajara) is "02", Hungary (S�rv�r) is "03" and China (Doumen) is "05". So this Xbox has been manufactured in week #9, 2002 in line 1 of the factory in Hungary, and it was number 166,356 of this week. ==Factories== {| class="wikitable" |- | '''Date''' | '''Mexico''' | '''Hungary''' | '''China''' |- | 10/2001 | Production of 110V 1.0 Xboxes with Thomson drives is started for the USA/Canada market. | Production of 110V 1.0 Xboxes with Thomson drives is started for the USA/Canada market. |- | 01/2002 | Production gets extended for Japan. | Complete switch to 220V European/Australian models. |- | 04/2002 | Production lines #1 and #6 get closed and get moved to China. The other four lines continue production. The first Xboxes with Philips DVD drives are made, now 50% of all Mexican devices have Philips, and 50% have Thomson. | |- | 05/2002 | | Production stops after only less than 9 months, and after about 3 Million Xboxes. All four production lines get moved to China. |- | 08/2002 | | | Production of the 220V 1.1 Xbox for Europe and Australia only begins, with mostly Philips and sometimes Thomson DVD drives. |- | 09/2002 | | | First Samsung DVD drives. Most Xboxes now contain Samsung devices, a few contain Philips ones, and very few still contain Thomson ones. |- | 10/2002 | Switch the remaining four lines to version 1.1. | | |- | 11/2002 | | | Production gets extended by 110V USA/Canada/Japan models. |- | 12/2002 | Production ends after 14 months, and after nearly 7 Million Xboxes. | | First line changes to version 1.2 |- | 02/2003 | | | Last line changes to version 1.2 |- | 03/2003 | | | First line changes to version 1.3 |- | 04/2003 | | | Last line changes to version 1.3 |- | 07/2003 | | | First line changes to version 1.4 |- | 08/2003 | | | First line changes to version 1.5 |} Look at the <a href="/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Versions_HOWTO" title="Xbox Versions HOWTO">Xbox Versions HOWTO</a> for details on when which Chinese line switched to a new version. ==Manufacturing Process== (Please note that a lot of this information has been concluded from implicit information, it may contain errors.) When a computer such as the Xbox is manufactured, three very different tasks have to be done: * assemble the hardware * copy the software on the hardware * test the device The most interesting part about this is when the software is copied, and when and how the device is tested, because there is a lot of room for optimization. Not counting the firmware of independent components such as the HD, the DVD and the SMC, the Xbox contains three pieces of software: * The Xbox kernel in Flash ROM * The hard disk contents (and hard disk key) * The EEPROM contents It depends on the device whether it is more convenient to program it before putting it into the Xbox or doing in-system-programming. ===Putting the System together=== The Flash ROM chips gets programmed externally with the final Xbox kernel and then gets soldered onto the Xbox motherboard. The EEPROM is empty when it gets soldered onto it. So is the hard disk when it gets connected. ===The Installation CD=== So when the Xbox is complete, but the EEPROM and the hard disk are still empty and the hard disk is not locked yet, an optical media gets inserted into the DVD drive (this needn't be an Xbox DVD), which contains a properly retail-signed default.xbe built with the XDK that has the allow eject flag set and has the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from CD, which does the following: * format the three swap partitions * copy XMTAXBOX.XBE from CD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. ===XMTAXBOX.XBE=== This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: * retrieve the EEPROM contents from a network server * retrieve the contents of the system and data partitions from a network server * lock the hard disk * make some self tests and send the report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/repairdvd.jpg" alt="repairdvd.jpg" /> <img src="https://web.archive.org/web/20100617013616im_/http://www.xbox-linux.org/pic/xboxqc.jpg" alt="xboxqc.jpg" /> [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-01/articles/16-01_26.asp] == Further Reading == * [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process_Pictures Xbox Manufacturing Process Pictures] * [https://web.archive.org/web/20100617013616/http://www.ifm.eng.cam.ac.uk/ctm/idm/cases/xbox.html] Innovation and Design Management case study * O'Brien, J. [https://web.archive.org/web/20100617013616/http://www.wired.com/wired/archive/9.11/flex_pr.html The making of the Xbox], Wired, Issue 9.11, November 2001 * Shah, J. and Serant, C. [https://web.archive.org/web/20100617013616/http://www.ebnonline.com/story/OEG20020311S0076 Microsoft's Xbox sets supply chain standard], EBN Online, 11 March 2002 * Olavsrud, T. [https://web.archive.org/web/20100617013616/http://www.internetnews.com/bus-news/article.php/1129171 Flextronics relocates Xbox manufacturing facility], Internetnews.com, 15 May 2002 * Penz, B. [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-06/articles/16-06_27.asp Game Over? Xbox production heads east], Business Hungary, Vol 16 No 6, June 2002 * Carbone, J. [https://web.archive.org/web/20100617013616/http://manufacturing.net/pur/article/CA237778?stt=001&amp;pubdate=08%2F15%2F02 Outsourcing the Xbox], Purchasing Magazine Online, 15 August 2002 * Neilley, R: [https://web.archive.org/web/20100617013616/http://www.immnet.com/articles?article=1763 Molding is big man on this campus] 435490a0cbb571a9bd975178de790ee9ee2478a8 0 3782 6938 6726 2021-05-11T14:29:48Z Billy549 2520 Redirected page to [[Hard Drive#Partitions]] wikitext text/x-wiki #REDIRECT [[Hard Drive#Partitions]] {{retrieved|https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Hard_Disk_Partitioning|ours=Hard Drive}} by ''Michael Steil'' (original version: 8 May 2002) The Xbox uses a hard disk partitioning scheme that is hardwired into the kernel. The hard disk consists of a header, 3 game cache partitions, a system partition and a data partition: {| class="wikitable" |- ! Offset ! Size ! Description |- | 0&nbsp;MB<br /><code>0x00000000</code> | 0.5&nbsp;MB | '''Disk Config Area''' <br />This partition contains no filesystem. Various configuration data is stored on fixed offsets.<br />Linux device: <code>none</code> |- | 0.5&nbsp;MB<br /><code>0x00000400</code> | 750&nbsp;MB | '''Game Cache A''' (Drive X:)<br />FATX volume containing temporary data of a game for faster access.<br />Linux device: <code>/dev/hda52</code> |- | 750.5&nbsp;MB<br /><code>0x00177400</code> | 750&nbsp;MB | '''Game Cache B''' (Drive Y:)<br />Linux device: <code>/dev/hda53</code> |- | 1500.5&nbsp;MB<br /><code>0x002EE400</code> | 750&nbsp;MB | '''Game Cache C''' (Drive Z:)<br />Linux device: <code>/dev/hda54</code> |- | 2250.5&nbsp;MB<br /><code>0x00465400</code> | 500&nbsp;MB | '''System Files''' (Drive C:)<br />FATX volume containing menu code, graphics, sound, DVD player, music import,&nbsp;...<br />Linux device: <code>/dev/hda51</code> |- | 2750.5&nbsp;MB<br /><code>0x0055F400</code> | 4895&nbsp;MB | '''Data''' (Drive E:)<br />FATX volume containing saved games and imported CD audio tracks.<br />Linux device: <code>/dev/hda50</code> |- ! ! ! '''Non-Standard partitions on disks &gt;8GB''' |- | 7645.5&nbsp;MB<br /><code>0x00EE8AB0</code> | 1896&nbsp;MB<br />- 130&nbsp;GB | '''Unused/Additional''' (Drive F:)<br />The first xboxes had a 8GB disk, later versions came with a 10GB disk. This the space difference between the two and not used. Some tools allow it to be used as additional FATX filesystem<br />Linux device: <code>/dev/hda55</code> (only present if signature of formatted FATX found)<br />Linux assumes that all remaining space on the disk belongs to this partition unless another FATX filesystem is detected at the LBA28 boundary. See below. |- | 137&nbsp;GB<br /><code>0x0FFFFFFF</code> | remaining space | '''LBA28''' (Drive G:)<br />If you install a very big disk some tools are limited by the LBA24 boundary. The drive G allows this space to be used in a separate drive, only accessible to LBA48 capable tools and BIOS'es.<br />Linux device: <code>/dev/hda56</code> (only present if signature of formatted FATX found at LBA24 boundary)<br />Linux assumes that all remaining space on the disk belongs to this partition. |} This table has been completed by Markus Baertschi with lots of stuff. There might be errors and misconceptions, caveat emptor&nbsp;! {| class="wikitable" |- ! '''Missing image'''<br />''Icon-admonition-tip.png'' <br />Tip<br /><br /> | For a more detailed description of the format and contents of the partitions see [https://web.archive.org/web/20100617023145/http://www.xbox-linux.org/wiki/Xbox_Partitioning_and_Filesystem_Details Xbox Partitioning and Filesystem Details].|} 95666a995dc021f98361762b20bdc1f8b5620811 0 3780 6939 5626 2021-05-11T14:30:46Z Billy549 2520 Redirected page to [[Hard Drive#Locking Mechanism and Basics]] wikitext text/x-wiki #REDIRECT [[Hard Drive#Locking_Mechanism_and_Basics]] {{retrieved|https://web.archive.org/web/20100617023052/http://www.xbox-linux.org/wiki/Xbox_Hard_Drive_Locking_Mechanism}} by ''SpeedBump'' (original version: 13 August 2002) The hard drive in the MS Xbox(tm) is a standard ide drive, which implements a rarely used security feature to restrict access to its data. This document will describe in full the security features, and the algorithms required to access the data on an xbox drive. ==The IDE (ATA) commands== The ATA spec defines a feature subset which allows for the user to limit access to the drive's data behind a hardware implemented locking mechanism. There are several commands in the SECURITY feature subset, but the command of most interest is the SECURITY_UNLOCK command. SECURITY_UNLOCK requires that the user provide one of two 32 byte passwords, either a user or master password. The Xbox uses the user password. Details on the data formats and timings for the data to be sent to the ide drive can be found in the ata specs (see [[https://web.archive.org/web/20100617023052/http://www.t13.org/]]). ==The password== The drive password is generated in two distinct phases. The first phase extracts a key (referred to as the HDKey) from the eeprom data on the Xbox. The HDKey is unique to each Xbox making this first phase dependant only on the Xbox eeprom of the unit. The second phase uses this HDKey to generate a password which is specific to the drive being unlocked (keyed to the model and serial numbers of the drive). ==Drive Data== During the second phase, the serial and model numbers are needed. These values are available in the response data from the DEVICE_IDENTITY ata command. However, the data needs to be properly reorganized. It is read in big endian words, and needs to be byte swapped first to get the byte ordering correct. Then, starting from the end of the data (serial == 20 bytes, model == 40 bytes) ignore ASCII spaces (byte value of 0x20) at the end of the data. Zeros are *not* trimmed, *only* spaces. Do not be fooled into believing that this data is a string. On some drives this is the case, but on others there are non-ascii values in the fields. ==Basic Security algorithms== There are two primary crytography routines needed when generating an XBox drive password, SHA1 and RC4. SHA1 is a hashing algorithm. It's primary purpose is to take an input message and create a (relatively) small signature (called a digest) which is unique to the original message. One of the goals of SHA1 is to make it difficult to alter the input message in such a way as to result in the same output digest. RC4 is a symmetric cipher. This means that the algorithm for encryption is the same as that for decryption. The purpose is to make one key work in both directions. There is an algorithm called HMAC which uses a hashing algorithm (in this case SHA1) to generate a cryptographically "strong" signature. I'm sure there is a mathematical basis for this, but I'm not willing to try to understand it&nbsp;:) ==The Password Algorithm== (some syntax notes, key data is shown entering functions from the side, data is shown entring from above or below, in order of presentation from left to right) <pre> RC4_key &gt;--(second)--&gt;--, /|\ | | | .-&lt;--|__eeprom_key__|--&gt;-----------&gt; HMAC_SHA1 | | /|\ | | | | | .---&gt;-----------' | | | | | eeprom_data = |__data_hash___|__enc_conf__|__enc_data__| | | | | | | | | \|/ | | | | rc4_decrypt &lt;----|---------&lt;| | | | | | | \|/ | | | | (must be equal) | \|/ | | /|\ | rc4_decrypt &lt;---' | | | | | | \|/ \|/ | | |_confounder_|____data____| | | / / | | | / / | | | / / | | | / / | | | \|/ / \|/ `---&gt;-----------------&gt; HMAC_SHA1 / |__HDKey__|__| /|\ / | \______/ | | .-------------------------&lt;--------' | | model_number serial_number | \ / | \ / `---&gt;-----------------&gt; HMAC_SHA1 | \|/ HD_password </pre> <br /> This seems to be the easiest way to show the required calculations. Basically there are several intermediate steps. First, generate the RC4_key from the eeprom_key and the data_hash (first 20 bytes of eeprom_data). Use the RC4_key to decrypt the encrypted confounder (8 bytes 20 bytes into eeprom_data) and the encrypted data (20 bytes 28 bytes into eeprom_data). Now generate an HMAC_SHA1 hash from the eeprom_key and the decrypted confounder and data. Verify that this hash matches the data_hash stored in the eeprom. If they don't match then the eeprom data is not correct. If the hashes match then the first 16 bytes of the decrypted data field is the HDKey. Once you have the HDKey get the model number and serial number from the ide drive. Generate an HMAC_SHA1 hash from the HDKey, model and serial numbers. The resulting 20 bytes are the HD password. The remaining 12 bytes needed for the password are zeros. ==Remaining Questions== The algorithm is well known, however it is dependant on the eeprom_key. It would be ideal if this key could be compiled into a driver to perform the generation and the unlocking. However noone appears to be able to answer the question of legality. Is it legal to privide the eeprom key? Either way, the drive can be unlocked. The ability to distribute the key will only help people use the drive outside the xbox (plus make it simpler to unlock the drive in the xbox). ca62f500675ebd3e5b0ebc59241d142774758ddb 0 3706 6940 6742 2021-05-11T18:18:51Z Thrimbor 2531 Add full image header table. Mostly taken from caustik, but with fixes and enhancements wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. Standard windows format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a TLS (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from. |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format= Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 08eb39860e6a69da2fd126ff8140e212bac34eae 6941 6940 2021-05-11T18:57:25Z Thrimbor 2531 Add info about TLS wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. Standard windows format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from. |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format= Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} == Resources and links == * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] {{reflist}} [[Category:Fileformats]] 56d3604fd1b98fc11d7fa1af6a00edddf752f21d 6942 6941 2021-05-11T18:59:18Z Thrimbor 2531 Resources and links shouldn't be a subsection of Xbox Alpha executable format wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. Standard windows format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from. |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] cee6bdd0df0e5a6072df1ef86f4913ab55e2669d 0 3790 6944 6871 2021-05-18T19:33:37Z Billy549 2520 /* Compatible USB sticks */ wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units where made. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. (It is rumored that the capacity should not exceed 4GB) However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- |BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB || |- |USB Mass Storage Device || 0x058F || 0x9381 || 64MB || Generic Mass Storage Device |- |[https://www.aliexpress.com/item/33007483881.html Generic Aliexpress Flash Drive] || 0xABCD || 0x1234 || 128MB|| |- |} == Protocol == === USB Descriptor (Offical Memory Unit) === <pre> Bus 002 Device 003: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] 123e7b1d34a9413ce20da9cf9695e2b4ebe6b642 0 3772 6947 6514 2021-05-23T01:15:36Z Chipsnapper 2523 Timmyyyyyyyyyyyyyyyyyyyyyyyyyy! wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press {{input-y}}, {{input-x}} while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press "INFO" button on the DVD Playback Kit remote. Only visible with DVD Playback Kit and Remote: #Start playing a song using either the Xbox controller or playback kit remote. #Press {{input-y}}, {{input-x}} on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield{{FIXME|reason=replace lengthy explanation with a video of this}}. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg 1 ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Soundtrack name Easter-Egg 2 ("Timmyyyyyyyyyyyyyyyyyyyyyyyyyy!") === ==== Steps to activate Soundtrack Easter Egg ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: Timmyyyyyyyyyyyyyyyyyyyyyyyyyy! with 26 'y' characters. # Go to Settings -> System Information. The Xbox Dashboard credits will be displayed. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == * [[Hard Drive Files]] * [[Soundtracks]] b287ba7e77aaf74a105ec8828480147aceb8a848 6948 6947 2021-05-23T01:16:15Z Chipsnapper 2523 /* Steps to activate Soundtrack Easter Egg */ wikitext text/x-wiki == Hidden features == === Hotkey to switch to HD modes === Latest Xbox Dashboard (5960) force 480p display mode: Press and hold Left trigger, right trigger, and both analog stick buttons. The normally displayed 480i dashboard will switch to 480p output while using the Xbox High Definition AV Pack or cable. Repeat button combo to toggle between 480p and 480i. === Music visualization in fullscreen === Press {{input-y}}, {{input-x}} while playing audio CDs or soundtracks stored on the HDD to display full-screen geiss-like music visualization. Or, press "INFO" button on the DVD Playback Kit remote. Only visible with DVD Playback Kit and Remote: #Start playing a song using either the Xbox controller or playback kit remote. #Press {{input-y}}, {{input-x}} on the controller or "INFO" on the remote to get the full screen visualization. #Here's the part that requires the DVD Playback Kit remote. Press "STOP" or "PAUSE" (you cannot use the controller to stop the music to see it as doing so goes back to the Music Playback menu with the small visualization area). Once the music visualization pattern dies down, a full-screen swirling starfield pattern appears. After some time passes, the screen will be filled with a changing burst of solid color where you can make out the wireframe spinning globe seen encompassing the main dashboard background. The burst of color fades to black leaving the swirling starfield. The cycle repeats with a random changing solid color burst which fades to the swirling starfield{{FIXME|reason=replace lengthy explanation with a video of this}}. Not quite true about needing the remote control, if playing a CD while full screen visualization is displayed, press the eject button on the front of the Xbox console. === Soundtrack name Easter-Egg 1 ("<<Eggs&beta;ox>>") === Stored in settings_adoc.xip (which is actually an XBE file) ==== Steps to activate Soundtrack Easter Egg ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: <<Eggs&beta;ox>> including the less than, beta, and greater than symbols. # After you have entered the title, select "Done". A "Thank You" message starts which is followed by a scrolling list of the Xbox Team members. If you press a button on the controller or let the message play through to the end -- the Xbox reboots. === Soundtrack name Easter-Egg 2 ("Timmyyyyyyyyyyyyyyyyyyyyyyyyyy!") === ==== Steps to activate Soundtrack Easter Egg ==== # Insert an audio CD and let it begin to play. # Stop the disk and step back (press B) in order to "Copy" selected tracks of the CD to the hard drive. # When the track list comes up, "Select All" and continue. # Choose "New Soundtrack" as the destination for your selection. # Enter the name of your soundtrack exactly as follows: Timmyyyyyyyyyyyyyyyyyyyyyyyyyy! with 26 'y' characters. # Allow the CD to finish copying to the hard drive. # Go to Settings -> System Information. The Xbox Dashboard credits will be displayed. === Parental Control Bypass === If Parental Control is enabled and the password set has been forgotten, all is not lost. Use the following sequence: * {{input-x}} {{input-y}} {{input-lt}} {{input-x}} SET PASS CODE, MOVIES and GAMES level can now be modified and the pass code removed if so desired. With SET PASS CODE selected, press {{input-a}} or {{input-start}} to change the current pass code and once more to be prompted, "Do you wish to delete the current pass code?". Select Yes or No then {{input-a}}. === Format Admin Codes === Secret Xbox format codes to format all drives except C. The code is different for all versions of the Xbox. If you find your code, please post it here along with your xbox version (at least the last 2 digits of the serial number - the factory code where it was manufactured). ==== Different codes based on serial-number ==== MS support techs under certain conditions would ask for your serial number and verify registration of your Xbox before giving you a code to clear/format your fouled Xbox's HDD.{{FIXME|reason=What part(s) of the serial number they used to determine the correct code is unknown?}} ==== List of Xbox Format Admin Codes ==== All of these codes are entered at the MS Dashboard's "System Info" screen. (UNTESTED here, codes posted as given at original source site.) * Xbox v1.0: {{input-y}} {{input-x}} {{input-ly+}} {{input-lx-}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one seems to work with most Xbox sold in the United States}}: {{input-y}} {{input-ly+}} {{input-ly-}} {{input-x}} {{input-a}} * Unknown version{{FIXME|reason=Which? This one worked with the Xbox manufactured in Hungary, serial numbers ending in 03}}: {{input-y}} {{input-lx-}} {{input-x}} {{input-a}} {{input-lx-}} Source: [https://web.archive.org/web/20041010231137/http://unmodded.mine.nu:80/docs/FormatAdminCode unmodded.mine.nu/docs/FormatAdminCode] === Traveling Menus === Turn on your Xbox and go to the dashboard, press {{input-y}} {{ input-x}} on the main screen not from any sub-menu, the main menu will start to slowly move. Press {{input-y}} {{ input-x}} to return menu to locked position. All sub-menus will be moving about as well, you cannot return to locked position from sub-menus only from main menu. Source: Shaky Menu at https://www.gamefaqs.com/xbox/915780-xbox/cheats == See Also == * [[Hard Drive Files]] * [[Soundtracks]] b55441fe082dd820a036cb305b6081b0081c656f 0 3674 6949 6862 2021-05-24T23:36:44Z X86corez 2533 Add sections and move ports from [[I/O]] page here. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" ! Ports || Purpose |- | 0000-001f || dma1 |- | 0020-003f || pic1 |- | 0040-0043 || timer0 |- | 0050-0053 || timer1 |- | 0060-006f || keyboard |- | 0070-007f || rtc |- | 0080-008f || dma page reg |- | 00a0-00bf || pic2 |- | 00c0-00df || dma2 |- | 00f0-00ff || fpu |- | 01f0-01f7 || ide0 |- | 03c0-03df || vesafb |- | 03f6-03f6 || ide0 |- | 0cf8-0cff || PCI conf1 |- | 1000-100f || nVidia Corporation nForce PCI System Management |- | 1080-10ff || nVidia Corporation Intel 537 [nForce MC97 Modem] |- | 1400-14ff || nVidia Corporation Intel 537 [nForce MC97 Modem] |- | c000-c00f || nVidia Corporation nForce PCI System Management (amd756-smbus) |- | c200-c21f || nVidia Corporation nForce PCI System Management |- | d000-d0ff || nVidia Corporation nForce Audio |- | d200-d27f || nVidia Corporation nForce Audio |- | e000-e007 || nVidia Corporation nForce Ethernet Controller |- | ff60-ff6f || nVidia Corporation nForce IDE |- | ff60-ff67 || ide0 |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 6bfb02ddb654b42c6f0cf7682728f8c3fed0d8ab 0 3826 6950 5934 2021-05-24T23:37:04Z X86corez 2533 Create a redirect. No pages link to this page actually. wikitext text/x-wiki #REDIRECT [[Memory]] 2840bf29ec7f336704de23915d4eee7269203890 0 3674 6951 6949 2021-05-24T23:54:12Z X86corez 2533 /* I/O port map */ Remove overlapping ide0, minor corrections. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" ! Ports || Purpose |- | 0000-001f || dma1 |- | 0020-003f || pic1 |- | 0040-0043 || timer0 |- | 0050-0053 || timer1 |- | 0060-006f || keyboard |- | 0070-007f || rtc |- | 0080-008f || dma page reg |- | 00a0-00bf || pic2 |- | 00c0-00df || dma2 |- | 00f0-00ff || fpu |- | 01f0-01f7 || ide0 |- | 03c0-03df || vesafb |- | 03f6-03f6 || ide0 |- | 0cf8-0cff || PCI conf1 |- | 1000-100f || nVidia Corporation nForce PCI System Management |- | 1080-10ff || nVidia Corporation nForce MC'97 Modem (Intel 537) |- | 1400-14ff || nVidia Corporation nForce MC'97 Modem (Intel 537) |- | c000-c00f || nVidia Corporation nForce PCI System Management (amd756-smbus) |- | c200-c21f || nVidia Corporation nForce PCI System Management |- | d000-d0ff || nVidia Corporation nForce AC'97 Audio |- | d200-d27f || nVidia Corporation nForce AC'97 Audio |- | e000-e007 || nVidia Corporation nForce Ethernet Controller |- | ff60-ff6f || nVidia Corporation nForce IDE |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 7c7519a4ebacc5ead6b261ea0aa99ff7bfd48290 6952 6951 2021-05-25T14:38:20Z X86corez 2533 /* I/O port map */ Convert to the same table format as memory map. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |ACI (AC97) Registers |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" style="text-align: center;" ! Device ! Retail Xbox Range ! Debug/Chihiro Range |- |DMA Channels 0-3 |colspan="2"|0x0000 - 0x001F |- |Master PIC |colspan="2"|0x0020 - 0x003F |- |Timer 0 |colspan="2"|0x0040 - 0x0043 |- |Timer 1 |colspan="2"|0x0050 - 0x0053 |- |A20 Gate / Speaker |colspan="2"|0x0060 - 0x006F |- |CMOS / RTC |colspan="2"|0x0070 - 0x007F |- |DMA Page Address |colspan="2"|0x0080 - 0x008F |- |Slave PIC |colspan="2"|0x00A0 - 0x00BF |- |DMA Channels 4-7 |colspan="2"|0x00C0 - 0x00DF |- |FPU |colspan="2"|0x00F0 - 0x00FF |- |IDE |colspan="2"|0x01F0 - 0x01F7 |- |vesafb |colspan="2"|0x03C0 - 0x03DF |- |IDE |colspan="2"|0x03F6 - 0x03F6 |- |PCI Configuration Space |colspan="2"|0x0CF8 - 0x0CFF |- |SMBus (I2C) |colspan="2"|0x1000 - 0x100F |- |rowspan="2"|Modem (MC97) |colspan="2"|0x1080 - 0x10FF |- |colspan="2"|0x1400 - 0x14FF |- |rowspan="2"|SMBus (I2C) |colspan="2"|0xC000 - 0xC00F |- |colspan="2"|0xC200 - 0xC21F |- |rowspan="2"|ACI (AC97) |colspan="2"|0xD000 - 0xD0FF |- |colspan="2"|0xD200 - 0xD27F |- |NIC (NVNet) |colspan="2"|0xE000 - 0xE007 |- |IDE |colspan="2"|0xFF60 - 0xFF6F |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> f05e06000c1514c2429b8fbeda9a00ab02ee6183 6953 6952 2021-05-25T15:06:13Z X86corez 2533 Add relevant links. Mark questionable I/O ports. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |[[ACI|ACI (AC97) Registers]] |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" style="text-align: center;" ! Device ! Retail Xbox Range ! Debug/Chihiro Range |- |DMA Channels 0-3 |colspan="2"|0x0000 - 0x001F |- |Master PIC |colspan="2"|0x0020 - 0x003F |- |[[Porting an Operating System to the Xbox HOWTO #Timer Frequency|PIT]] |colspan="2"|0x0040 - 0x0043 |- |Timer 1 {{FIXME|reason=What is this?}} |colspan="2"|0x0050 - 0x0053 |- |[[17 Mistakes Microsoft Made in the Xbox Security System #The Xbox Hardware|A20 Gate]] / [[MCPX #Pin L21: PC Speaker|Speaker]] |colspan="2"|0x0060 - 0x006F |- |CMOS / RTC |colspan="2"|0x0070 - 0x007F |- |DMA Page Address |colspan="2"|0x0080 - 0x008F |- |Slave PIC |colspan="2"|0x00A0 - 0x00BF |- |DMA Channels 4-7 |colspan="2"|0x00C0 - 0x00DF |- |FPU {{FIXME|reason=What is this?}} |colspan="2"|0x00F0 - 0x00FF |- |IDE |colspan="2"|0x01F0 - 0x01F7 |- |vesafb {{FIXME|reason=Does XGPU expose I/O ports?}} |colspan="2"|0x03C0 - 0x03DF |- |IDE {{FIXME|reason=Really? This is rather one of FDC ports}} |colspan="2"|0x03F6 - 0x03F6 |- |[[PCI|PCI Configuration Space]] |colspan="2"|0x0CF8 - 0x0CFF |- |[[SMBus|SMBus (I2C)]] |colspan="2"|0x1000 - 0x100F |- |rowspan="2"|Modem (MC97) |colspan="2"|0x1080 - 0x10FF |- |colspan="2"|0x1400 - 0x14FF |- |rowspan="2"|[[SMBus|SMBus (I2C)]] |colspan="2"|0xC000 - 0xC00F |- |colspan="2"|0xC200 - 0xC21F |- |rowspan="2"|[[ACI|ACI (AC97)]] |colspan="2"|0xD000 - 0xD0FF |- |colspan="2"|0xD200 - 0xD27F |- |NIC (NVNet) |colspan="2"|0xE000 - 0xE007 |- |IDE |colspan="2"|0xFF60 - 0xFF6F |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 022061c6f2d5467a35ce637f1dc7f4c3a04cc7fd 6954 6953 2021-05-25T15:11:34Z X86corez 2533 /* I/O port map */ Fix PIC ports. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |[[ACI|ACI (AC97) Registers]] |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" style="text-align: center;" ! Device ! Retail Xbox Range ! Debug/Chihiro Range |- |DMA Channels 0-3 |colspan="2"|0x0000 - 0x001F |- |Master PIC |colspan="2"|0x0020 - 0x0021 |- |[[Porting an Operating System to the Xbox HOWTO #Timer Frequency|PIT]] |colspan="2"|0x0040 - 0x0043 |- |Timer 1 {{FIXME|reason=What is this?}} |colspan="2"|0x0050 - 0x0053 |- |[[17 Mistakes Microsoft Made in the Xbox Security System #The Xbox Hardware|A20 Gate]] / [[MCPX #Pin L21: PC Speaker|Speaker]] |colspan="2"|0x0060 - 0x006F |- |CMOS / RTC |colspan="2"|0x0070 - 0x007F |- |DMA Page Address |colspan="2"|0x0080 - 0x008F |- |Slave PIC |colspan="2"|0x00A0 - 0x00A1 |- |DMA Channels 4-7 |colspan="2"|0x00C0 - 0x00DF |- |FPU {{FIXME|reason=What is this?}} |colspan="2"|0x00F0 - 0x00FF |- |IDE |colspan="2"|0x01F0 - 0x01F7 |- |vesafb {{FIXME|reason=Does XGPU expose I/O ports?}} |colspan="2"|0x03C0 - 0x03DF |- |IDE {{FIXME|reason=Really? This is rather one of FDC ports}} |colspan="2"|0x03F6 - 0x03F6 |- |[[PCI|PCI Configuration Space]] |colspan="2"|0x0CF8 - 0x0CFF |- |[[SMBus|SMBus (I2C)]] |colspan="2"|0x1000 - 0x100F |- |rowspan="2"|Modem (MC97) |colspan="2"|0x1080 - 0x10FF |- |colspan="2"|0x1400 - 0x14FF |- |rowspan="2"|[[SMBus|SMBus (I2C)]] |colspan="2"|0xC000 - 0xC00F |- |colspan="2"|0xC200 - 0xC21F |- |rowspan="2"|[[ACI|ACI (AC97)]] |colspan="2"|0xD000 - 0xD0FF |- |colspan="2"|0xD200 - 0xD27F |- |NIC (NVNet) |colspan="2"|0xE000 - 0xE007 |- |IDE |colspan="2"|0xFF60 - 0xFF6F |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> 819c1b899c79e3ce5576ed9f9fe09a136926934c 6955 6954 2021-05-25T15:16:34Z X86corez 2533 /* I/O port map */ Add Super I/O and Serial ports. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |[[ACI|ACI (AC97) Registers]] |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" style="text-align: center;" ! Device ! Retail Xbox Range ! Debug/Chihiro Range |- |DMA Channels 0-3 |colspan="2"|0x0000 - 0x001F |- |Master PIC |colspan="2"|0x0020 - 0x0021 |- |[[Super I/O]] |N/A |0x002E - 0x002F |- |[[Porting an Operating System to the Xbox HOWTO #Timer Frequency|PIT]] |colspan="2"|0x0040 - 0x0043 |- |Timer 1 {{FIXME|reason=What is this?}} |colspan="2"|0x0050 - 0x0053 |- |[[17 Mistakes Microsoft Made in the Xbox Security System #The Xbox Hardware|A20 Gate]] / [[MCPX #Pin L21: PC Speaker|Speaker]] |colspan="2"|0x0060 - 0x006F |- |CMOS / RTC |colspan="2"|0x0070 - 0x007F |- |DMA Page Address |colspan="2"|0x0080 - 0x008F |- |Slave PIC |colspan="2"|0x00A0 - 0x00A1 |- |DMA Channels 4-7 |colspan="2"|0x00C0 - 0x00DF |- |FPU {{FIXME|reason=What is this?}} |colspan="2"|0x00F0 - 0x00FF |- |IDE |colspan="2"|0x01F0 - 0x01F7 |- |vesafb {{FIXME|reason=Does XGPU expose I/O ports?}} |colspan="2"|0x03C0 - 0x03DF |- |IDE {{FIXME|reason=Really? This is rather one of FDC ports}} |colspan="2"|0x03F6 - 0x03F6 |- |Serial (COM1) |N/A |0x03F8 - 0x03FF |- |[[PCI|PCI Configuration Space]] |colspan="2"|0x0CF8 - 0x0CFF |- |[[SMBus|SMBus (I2C)]] |colspan="2"|0x1000 - 0x100F |- |rowspan="2"|Modem (MC97) |colspan="2"|0x1080 - 0x10FF |- |colspan="2"|0x1400 - 0x14FF |- |rowspan="2"|[[SMBus|SMBus (I2C)]] |colspan="2"|0xC000 - 0xC00F |- |colspan="2"|0xC200 - 0xC21F |- |rowspan="2"|[[ACI|ACI (AC97)]] |colspan="2"|0xD000 - 0xD0FF |- |colspan="2"|0xD200 - 0xD27F |- |NIC (NVNet) |colspan="2"|0xE000 - 0xE007 |- |IDE |colspan="2"|0xFF60 - 0xFF6F |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> ac72744bc1e3b32753d99bb1cd9d0a5ab80191e0 6956 6955 2021-05-25T15:52:53Z X86corez 2533 /* I/O port map */ Better descriptions. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |[[ACI|ACI (AC97) Registers]] |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" style="text-align: center;" ! Device ! Retail Xbox Range ! Debug/Chihiro Range |- |DMA Channels 0-3 |colspan="2"|0x0000 - 0x001F |- |Master PIC |colspan="2"|0x0020 - 0x0021 |- |[[Super I/O|Super I/O Configuration]] |N/A |0x002E - 0x002F |- |[[Porting an Operating System to the Xbox HOWTO #Timer Frequency|PIT]] |colspan="2"|0x0040 - 0x0043 |- |Timer 1 {{FIXME|reason=What is this?}} |colspan="2"|0x0050 - 0x0053 |- |[[17 Mistakes Microsoft Made in the Xbox Security System #The Xbox Hardware|A20 Gate]] / [[MCPX #Pin L21: PC Speaker|Speaker]] |colspan="2"|0x0060 - 0x006F |- |CMOS / RTC |colspan="2"|0x0070 - 0x007F |- |DMA Page Address |colspan="2"|0x0080 - 0x008F |- |Slave PIC |colspan="2"|0x00A0 - 0x00A1 |- |DMA Channels 4-7 |colspan="2"|0x00C0 - 0x00DF |- |FPU {{FIXME|reason=What is this?}} |colspan="2"|0x00F0 - 0x00FF |- |IDE |colspan="2"|0x01F0 - 0x01F7 |- |vesafb {{FIXME|reason=Does XGPU expose I/O ports?}} |colspan="2"|0x03C0 - 0x03DF |- |IDE {{FIXME|reason=Really? This is rather one of FDC ports}} |colspan="2"|0x03F6 - 0x03F6 |- |[[Super I/O|Super I/O Serial]] |N/A |0x03F8 - 0x03FF |- |[[PCI|PCI Configuration]] |colspan="2"|0x0CF8 - 0x0CFF |- |[[SMBus|SMBus (I2C)]] |colspan="2"|0x1000 - 0x100F |- |rowspan="2"|Modem (MC97) |colspan="2"|0x1080 - 0x10FF |- |colspan="2"|0x1400 - 0x14FF |- |rowspan="2"|[[SMBus|SMBus (I2C)]] |colspan="2"|0xC000 - 0xC00F |- |colspan="2"|0xC200 - 0xC21F |- |rowspan="2"|[[ACI|ACI (AC97)]] |colspan="2"|0xD000 - 0xD0FF |- |colspan="2"|0xD200 - 0xD27F |- |NIC (NVNet) |colspan="2"|0xE000 - 0xE007 |- |IDE |colspan="2"|0xFF60 - 0xFF6F |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> d576b897266fbe00b2793266d96a2738a9acacba 6957 6956 2021-05-26T16:40:52Z X86corez 2533 /* I/O port map */ Fixes from AMD-768 Peripheral Bus Controller datasheet. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |[[ACI|ACI (AC97) Registers]] |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" style="text-align: center;" ! Device ! Retail Xbox Range ! Debug/Chihiro Range |- |DMA Channels 0-3 |colspan="2"|0x0000 - 0x000F |- |Master PIC |colspan="2"|0x0020 - 0x0021 |- |[[Super I/O|Super I/O Configuration]] |N/A |0x002E - 0x002F |- |[[Porting an Operating System to the Xbox HOWTO #Timer Frequency|PIT]] |colspan="2"|0x0040 - 0x0043 |- |[[17 Mistakes Microsoft Made in the Xbox Security System #The Xbox Hardware|A20 Gate]] / [[MCPX #Pin L21: PC Speaker|Speaker]] |colspan="2"|0x0060 - 0x006F |- |CMOS / RTC |colspan="2"|0x0070 - 0x0073 |- |DMA Page Address |colspan="2"|0x0080 - 0x008F |- |Slave PIC |colspan="2"|0x00A0 - 0x00A1 |- |DMA Channels 4-7 |colspan="2"|0x00C0 - 0x00DF |- |FPU Error Control |colspan="2"|0x00F0 - 0x00F1 |- |IDE |colspan="2"|0x01F0 - 0x01F7 |- |vesafb {{FIXME|reason=Does XGPU expose I/O ports?}} |colspan="2"|0x03C0 - 0x03DF |- |IDE {{FIXME|reason=Really? This is rather one of FDC ports}} |colspan="2"|0x03F6 - 0x03F6 |- |[[Super I/O|Super I/O Serial]] |N/A |0x03F8 - 0x03FF |- |[[PCI|PCI Configuration]] |colspan="2"|0x0CF8 - 0x0CFF |- |[[SMBus|SMBus (I2C)]] |colspan="2"|0x1000 - 0x100F |- |rowspan="2"|Modem (MC97) |colspan="2"|0x1080 - 0x10FF |- |colspan="2"|0x1400 - 0x14FF |- |rowspan="2"|[[SMBus|SMBus (I2C)]] |colspan="2"|0xC000 - 0xC00F |- |colspan="2"|0xC200 - 0xC21F |- |rowspan="2"|[[ACI|ACI (AC97)]] |colspan="2"|0xD000 - 0xD0FF |- |colspan="2"|0xD200 - 0xD27F |- |NIC (NVNet) |colspan="2"|0xE000 - 0xE007 |- |IDE |colspan="2"|0xFF60 - 0xFF6F |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> bc10e7b94ef84380ebfb6a16eb5e056f1c758f89 6958 6957 2021-05-26T16:50:18Z X86corez 2533 /* I/O port map */ Add LPC PM address space. wikitext text/x-wiki The Xbox has 64MB Memory. This could be expanded to 128MB of memory on boards of revision 1.0-1.4 (Boards of revision 1.0-1.4 have empty spots for the extra memory, but they were later removed on 1.6 boards) but no games took advantage of it. The debug Xbox and the Chihiro both contained 128MB Memory. The memory was shared between the CPU and GPU. On the retail Xbox, the [[Flash ROM]] and [[MCPX ROM]] are also mapped to memory at the top 16 MiB and the top 512 Bytes respectively. However on Debug Xboxes and Chihiro, only the Flash is mapped as they don't contain an MCPX ROM. = Memory map = {| class="wikitable" style="text-align: center;" ! Memory Type ! Retail Xbox Range ! Debug/Chihiro Range |- |Main Memory |0x00000000 - 0x03FFFFFF |0x00000000 - 0x07FFFFFF |- |[[GPU|GPU (NV2A) Registers]] |colspan="2"|0xFD000000 - 0xFDFFFFFF |- |[[APU|APU Registers]] |colspan="2"|0xFE800000 - 0xFE87FFFF |- |[[ACI|ACI (AC97) Registers]] |colspan="2"|0xFEC00000 - 0xFEC00FFF |- |USB 0 Registers |colspan="2"|0xFED00000 - 0xFED00FFF |- |USB 1 Registers |colspan="2"|0xFED08000 - 0xFED08FFF |- |NIC (NVNet) Registers |colspan="2"|0xFEF00000 - 0xFEF003FF |- |[[Flash ROM]] |colspan="2"|0xFF000000 - 0xFFFFFFFF |- |[[MCPX ROM]] |0xFFFFFE00 - 0xFFFFFFFF |N/A |} = I/O port map = {{FIXME|reason=Taken from the KVMBOX memorymap.txt, not confirmed}} {| class="wikitable" style="text-align: center;" ! Device ! Retail Xbox Range ! Debug/Chihiro Range |- |DMA Channels 0-3 |colspan="2"|0x0000 - 0x000F |- |Master PIC |colspan="2"|0x0020 - 0x0021 |- |[[Super I/O|Super I/O Configuration]] |N/A |0x002E - 0x002F |- |[[Porting an Operating System to the Xbox HOWTO #Timer Frequency|PIT]] |colspan="2"|0x0040 - 0x0043 |- |[[17 Mistakes Microsoft Made in the Xbox Security System #The Xbox Hardware|A20 Gate]] / [[MCPX #Pin L21: PC Speaker|Speaker]] |colspan="2"|0x0060 - 0x006F |- |CMOS / RTC |colspan="2"|0x0070 - 0x0073 |- |DMA Page Address |colspan="2"|0x0080 - 0x008F |- |Slave PIC |colspan="2"|0x00A0 - 0x00A1 |- |DMA Channels 4-7 |colspan="2"|0x00C0 - 0x00DF |- |FPU Error Control |colspan="2"|0x00F0 - 0x00F1 |- |IDE |colspan="2"|0x01F0 - 0x01F7 |- |vesafb {{FIXME|reason=Does XGPU expose I/O ports?}} |colspan="2"|0x03C0 - 0x03DF |- |IDE {{FIXME|reason=Really? This is rather one of FDC ports}} |colspan="2"|0x03F6 - 0x03F6 |- |[[Super I/O|Super I/O Serial]] |N/A |0x03F8 - 0x03FF |- |[[PCI|PCI Configuration]] |colspan="2"|0x0CF8 - 0x0CFF |- |[[SMBus|SMBus (I2C)]] |colspan="2"|0x1000 - 0x100F |- |rowspan="2"|Modem (MC97) |colspan="2"|0x1080 - 0x10FF |- |colspan="2"|0x1400 - 0x14FF |- |[[PCI #00.01:0 - ISA Bridge|LPC PM]] |colspan="2"|0x8000 - 0x80FF |- |rowspan="2"|[[SMBus|SMBus (I2C)]] |colspan="2"|0xC000 - 0xC00F |- |colspan="2"|0xC200 - 0xC21F |- |rowspan="2"|[[ACI|ACI (AC97)]] |colspan="2"|0xD000 - 0xD0FF |- |colspan="2"|0xD200 - 0xD27F |- |NIC (NVNet) |colspan="2"|0xE000 - 0xE007 |- |IDE |colspan="2"|0xFF60 - 0xFF6F |} = Emulation = Code for emulating the memory might consist of: <pre> #ifdef DEBUG || CHIHIRO #define MEMORY_SIZE 128 * 1024 * 1024 int mcpx_active = 0; #else #define MEMORY_SIZE 64 * 1024 * 1024 int mcpx_active = 1; #endif #define FLASH_SIZE 256 * 1024 #define FLASH_MAP_SIZE 16 * 1024 * 1024 #define FLASH_MAP_ADDRESS (0xFFFFFFFF - FLASH_MAP_SIZE + 1) #define MCPX_SIZE 0x200 #define MCPX_MAP_ADDRESS (0xFFFFFFFF - MCPX_MAP_SIZE + 1) uint8_t memory[MEMORY_SIZE] = {0}; uint8_t flash[FLASH_SIZE] = {0}; uint8_t mcpx[MCPX_SIZE] = {0}; uint8_t get_memory_byte(uint32_t location) { if (location < MEMORY_SIZE) { return memory[location]; } if (mcpx_active && location >= MCPX_MAP_ADDRESS) { return mcpx[location - MCPX_MAP_ADDRESS]; } if (location >= FLASH_MAP_ADDRESS) { return flash[(location - FLASH_MAP_ADDRESS) % FLASH_SIZE]; } printf("Memory in unspecified range: %08X\n", location); return 0; } uint16_t get_memory_word(uint32_t location) { return get_memory_byte(location + 1) << 8 | get_memory_byte(location); } uint32_t get_memory_dword(uint32_t location) { return get_memory_word(location + 2) << 16 | get_memory_word(location); } void deactivate_mcpx() { mcpx_active = 0; } </pre> a2d74a0819f053d69125fa218d25d5a1bddc805e 6 4010 6959 2021-06-26T22:19:24Z Codeasm 2480 The Super I/O board of a DVT4 wikitext text/x-wiki The Super I/O board of a DVT4 0da7e7fbad535862f83718624599438a475dca2c 0 3820 6960 6368 2021-06-26T22:25:05Z Codeasm 2480 Finnaly added that image, a Super I/O board from a DVT4 wikitext text/x-wiki The Super I/O board is a feature of some [[Development Kits]]. The board is build around a SMSC LPC47M157 chip ([https://drive.google.com/uc?export=download&id=0BxOesalXbGtOanoxenlqQUh6Y0k Datasheet]) and interfaces with the Xbox via a ribbon cable connected to the [[LPC Debug Port]]. [[File:SerialIOBoard.jpeg|400px|thumb|right|Super I/O board from a DVT4]] The board provides the following ports: * RS232 (used for [[Kernel Debug | Kernel debugging]], not to be confused with [[Xbox Debug Monitor]]) unpopulated ports or functions are: * PS/2 Mouse port{{citation needed}} * PS/2 Keyboard port{{citation needed}} * something MCPX (SMBus?){{citation needed}} * Temp something (SMBus?){{citation needed}} * Post code (SMBus?){{citation needed}} * Flash-ROM / BIOS (like modchips, replaces onboard kernel?){{citation needed}} == Schematic == Its a four layer board, layers 2 and 3 are filled on the entire board, probably ground and power planes. north, or up in the next tables is up as written the layer numbers and silkscreen common direction. The folowing main parts are populated on the board: {| class="wikitable" !| total ! Labels ! Description |- |1 | U1 | SMSC LPC47M157-NC (1996 ) |- | 0 | U2 | unpopulated DIP24 MCU(?) |- |1 | U3 | MAX223EAI (0104, first week 2004?) |- |1 |Y2 |CMX-309FB B (14.3181Mhz standard Clock Oscillator ) |- |1 |J7 |AMP rs232 Male connector |- |1 |J9 |16 pins male header (LPC bus) |- |5 |R1,R7,R10,R11,R12 |10Kohm smd resistor |- |7 |C10,C12,C13,C16,C17,C36,C37 |Bigger, probably NOT all the same caps |- |17 |C1,C2,C9,C15,C1?(8?),C21,C22,C23,C24,C25,C26,C28,C31,C32,C33,C34,C35 |Smaller, also, asuming not all the same |} The connections in the following tables are checked with the continuity test on a VOM(Multimeter). but for now here are the listings of wich pin goes where: === U3 MAX223EAI [https://datasheets.maximintegrated.com/en/ds/MAX220-MAX249.pdf] === {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | T3OUT | | | | |- | 2 | T1OUT | | | | |- | 3 | T2OUT | | | | |- | 4 | R2IN | | | | |- | 5 | R2OUT | | | | |- | 6 | T2IN | | | | |- | 7 | T1IN | | | | |- | 8 | R1OUT | | | | |- | 9 | R1IN | | | | |- | 10 | GND | | | | |- | 11 | VCC | Power | 5V supply voltage | J9 6 | |- | 12 | C1+ | | | | |- | 13 | V+ | | | | |- | 14 | C1- | | | | |- | 15 | T4OUT | | | | |- | 16 | R3IN | | | | |- | 17 | R3OUT | | | | |- | 18 | SHDN | | | | |- | 19 | EN | | | | |- | 20 | R4IN | | | | |- | 21 | R4OUT | | | | |- | 22 | T4IN | | | | |- | 23 | T3IN | | | | |- | 24 | R5OUT | | | | |- | 25 | R5IN | | | | |- | 26 | V- | | | | |- | 27 | C2- | | | | |- | 28 | C2+ | | | | |} === U1 SMsC LPC ic === Still lots to fill out here, but all connections required for kernel debugging via null-modem cable tied to TX/RX/GND have been accounted for. {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 6 | CLKI32 | Input | 32.768kHz trickle clock input | GND (C17) | Disabled via GND |- | 7 | VSS | Power | Ground | GND (C17) | |- | 18 | VTR | Power | 3.3V standby voltage | C17 bypass to 3.3V | Connected to VCC because no wakeup functionality is required |- | 19 | CLOCKI | Input | 14.318MHz clock input | Y2 3 | |- | 20 | LAD0 | I/O | LPC address/data bus | J9 11 | Multiplexed command, address and data bus. |- | 21 | LAD1 | I/O | LPC address/data bus | J9 10 | Multiplexed command, address and data bus. |- | 22 | LAD2 | I/O | LPC address/data bus | J9 8 | Multiplexed command, address and data bus. |- | 23 | LAD3 | I/O | LPC address/data bus | J9 7 | Multiplexed command, address and data bus. |- | 24 | LFRAME# | Input | Frame signal | J9 3 | Indicates start of a new cycle and termination of broken cycle. |- | 26 | PCI_RESET# | Input | PCI reset | J9 5 | Used as LPC interface reset. |- | 27 | LPCPD# | Input | Power down signal | R7 (10k) pull-up to 3.3V | Indicates that it should prepare for power to be shut down on the LPC interface. Tied high relying on PCI_RESET to do its job. |- | 29 | PCI_CLK | Input | PCI clock | J9 1 | |- | 30 | SER_IRQ | Output | Serial interrupt requests | J9 16 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |- | 31 | VSS | Power | Ground | GND | |- | 32 | GP10/J1B1 | | | Trace open? | |- | 33 | GP11/J1B2 | | | Trace open? | |- | 34 | GP12/J2B1 | | | Trace open? | |- | 37 | GP15/J1Y | | | Trace open? | |- | 38 | GP16/J2X | | | Trace open? | |- | 39 | GP17/J2Y | | | Trace open? | |- | 40 | AVSS | Power | Analog ground | GND | |- | 42 | GP21/P16/nDS1 | | | Trace open? | |- | 44 | VREF | Power | 3.3V reference voltage | C2 bypass to 3.3V | 5V or 3.3V used for the game port logic |- | 45 | GP24/SYSOPT | | | R1 (10k) pull-down to GND | Set the configuration base I/O address of 0x2E (R2 would be a pullup to 3.3V with a different configuration address) |- | 47 | GP26/MIDI_OUT | | | Trace open? | |- | 49 | GP61/LED2 | | | Trace open? | |- | 51 | GP30/FAN_TACH2 | | | Trace open? | |- | 53 | VCC | Power | 3.3V supply voltage | C1 bypass to 3.3V | |- | 55 | P33/FAN1 | | | Trace open? | |- | 57 | KCLK | | | Trace open? | |- | 59 | MCLK | | | Trace open? | |- | 60 | VSS | Power | Ground | GND | |- | 61 | IRRX2/GP34 | | | Trace open? | |- | 65 | VCC | Power | 3.3V supply voltage | C9 bypass to 3.3V | |- | 76 | VSS | Power | Ground | GND (C10) | |- | 84 | RXD1 | Input | | U3 8 U2 18 | |- | 85 | TXD1 | Output | | U3 6 U2 17 | |- | 86 | nDSR1 | Input | Data set ready | U3 ? | Optional flow control |- | 87 | nRTS1 | Output | Request to send | U3 ? | Optional flow control |- | 93 | VCC | Power | | C21 bypass to 3.3V | |- | 95 | RXD2 | Input | | Trace open? | |- | 96 | TXD2 | Output | | Trace hidden under IC? | |- | 97 | nDSR2 | Input | Data set ready | Trace open? | Optional flow control |- | 98 | nRTS2 | Output | Request to send | Trace hidden under IC? | Optional flow control |- | 101 | HVSS | Power | | GND | |- | 102 | HVCC | Power | | C24 bypass to 3.3V | |- | 103 | SDA | I/O | | J9 14 | |- | 104 | SCLK | I/O | | J9 13 | |- | 105 | A0/RESET# | | | R10 (10k) pull-up to 3.3V | |- | 111 | HVCC | Power | | C32 bypass to 3.3V | |- | 112 | HVSS | Power | | GND | |- | 121 | HVCC | Power | | C33 bypass to 3.3V | |- | 122 | HVCC | Power | | C34 bypass to 3.3V | |- | 125 | HVSS | Power | | GND | |- | 126 | HVSS | Power | | GND | |- | 127 | HVSS | Power | | GND | |- | 128 | HVSS | Power | | GND | |} === J9 LPC header=== NOTE: version 1.3+ motherboards are missing the LFRAME signal which will need to be generated by an external CPLD [https://www.reddit.com/r/originalxbox/comments/7uo3lq/got_an_xbox_for_free_dvd_tray_wont_stop_ejecting/dtmqmn3/] NOTE: version 1.5 motherboards are missing pins 2 (GND) and 9 (VCC3), and pins 12 (GND) and 15 (VCC3) haven't been confirmed to work correctly{{citation needed}} {| class="wikitable" !| Pin ! Name ! Type ! Description ! Termination(s) ! Notes |- | 1 | LCLK | Output | PCI clock | U1 29 | |- | 2 | VSS | Power | System ground | (see other parts) | |- | 3 | LFRAME# | Output | Frame signal | U1 24 | Indicates start of a new cycle and termination of broken cycle. |- | 4 | --- | --- | --- | --- | Voided to ensure correct ribbon cable alignment. |- | 5 | LRST# | Output | PCI reset | U1 26 | Used as LPC interface reset. |- | 6 | VCC5 | Power | 5V power supply | (see other parts) | C12(e), C13(S), C15(S), U3 11 |- | 7 | LAD3 | I/O | LPC address/data bus | U1 23 | Multiplexed command, address and data bus. |- | 8 | LAD2 | I/O | LPC address/data bus | U1 22 | Multiplexed command, address and data bus. |- | 9 | VCC3 | Power | 3.3V power supply | (see other parts) | |- | 10 | LAD1 | I/O | LPC address/data bus | U1 21 | Multiplexed command, address and data bus. |- | 11 | LAD0 | I/O | LPC address/data bus | U1 20 | Multiplexed command, address and data bus. |- | 12 | VSS | Power | System ground | (see other parts) | |- | 13 | SCL | I/O | SMBus clock signal | U1 104 | |- | 14 | SDA | I/O | SMBus data signal | U1 103 | |- | 15 | VCC3 | Power | 3.3V power supply | (see other parts) | Intended to be used for external IO board |- | 16 | L_SER_IRQ | Input | Serial interrupt requests | U1 30 | Provides a serial interrupt request line for mouse/keyboard implementations of the IO board. |} == Related links == * [https://github.com/espes/xqemu/blob/xbox/hw/xbox/lpc47m157.c Super I/O emulation in XQEMU] (SMBus?) * [https://imgur.com/a/ROMYa Images (CC0 License) by Codeasm with detailed shots of the SuperIO board] 64634cdcac65a358020ab3df40edcca2db52de79 0 3821 6961 6883 2021-06-28T10:51:47Z Codeasm 2480 added the manufacturer of the emulator board wikitext text/x-wiki The DVD emulator is a feature of [[Development Kits]]. It enables a developer to create and test for DVD remastering. This means deciding which files to store on the DVD and where on the disk to store them (layout).{{citation needed}} this is then tested using the DVD emulator software, and hardware for loading speeds and possibly potential faults that could occur. Its been developed by AMC, Applied Microsystems Corporation for microsoft [https://web.archive.org/web/20000829084821/http://www.codejunkies.com:80/archive/microsystems_develop_xbox_dvd.htm] [https://web.archive.org/web/20000815073611/http://www.amc.com/news/press/2000/7-21.html] The Hardware required for this was a Developement kit, (with the DVD emulation board) some sort of scsi cable, and an XDK-Raptor card.{{citation needed}} The complete kit, a Raptor PCI Scsi card and Hardisk was numbered: 940-75004 Rev.01 two or more versions of the PCI scsi card are known: * 700-75307 Rev.01 * 700-75307 Rev 03 [https://assemblergames.com/threads/sealed-xbox-raptor-card-for-xdk-dvd-emu.41763/ Assemblergames](posibly same as rev1?) The software was bundled with the official xdk software and a (40GB ?{{citation needed}})Hardisk was connected to the Raptorcard where the DVD mastering image was stored on. This wasn't the fastest way to get an executable to the Xbox for development, and is useless for Homebrew.{{citation needed}} {{FIXME|reason=Describe the purpose in more detail}} Picture: [[File:https://i.imgur.com/VNFxuya.jpg]] Next to serial debugging board: [[File:https://i.imgur.com/OZqxKyH.jpg]] d71baf8a85752d75e918433761911f6a3d95af0a 0 3669 6962 6882 2021-06-28T11:03:22Z Codeasm 2480 /* THOMSON TGM600 */ Xbox news article wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. a news article officially anouncing thomson to be producing the DVD drive for the original xbox back in 20 Juli of 2000[https://web.archive.org/web/20000829085016/http://www.codejunkies.com:80/archive/thomson_supplier_for_xbox.htm] ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6035/21 ==== Also named: VAD6011/21 appears to have no brand or part number on its large main controller, might be Cirrus Logic based on its size and use of a Philips secondary smaller MCU. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC DVD-ROM drive Pioneer 500M with the Philips firmware to be an Xbox DVD-ROM drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] bf64851e14c4467912ccae1a0dbbbd9b3ff8f4ab 6963 6962 2021-06-28T11:04:32Z Codeasm 2480 /* THOMSON TGM600 */ Capitals wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink * Xbox 1.1 ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout ** Switched to ATX Power connector * Xbox 1.3 ** Removed LFrame signal from LPC Port * Xbox 1.4 ** Updated Board Layout ** Switched to the "Focus" Video Encoder * Xbox 1.5 ** 3.3v and GND removed from LPC * Xbox 1.6 ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == There has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. They possibly never existed{{citation needed}}, but will otherwise be very rare. Production was halted and 1.4 was produced again{{citation needed|reason=Sooo.. do these exist or not?!}}. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original Xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. A news article officially announcing Thomson to be producing the DVD drive for the original Xbox back in 20 Juli of 2000[https://web.archive.org/web/20000829085016/http://www.codejunkies.com:80/archive/thomson_supplier_for_xbox.htm] ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6035/21 ==== Also named: VAD6011/21 appears to have no brand or part number on its large main controller, might be Cirrus Logic based on its size and use of a Philips secondary smaller MCU. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC DVD-ROM drive Pioneer 500M with the Philips firmware to be an Xbox DVD-ROM drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] d8d2280973516b602d7c9a9b1648b869f7277f9b 0 3671 6964 6746 2021-06-28T11:22:10Z Codeasm 2480 Added Dolby news wikitext text/x-wiki The MCPX is the southbridge chip of the Xbox chipset made by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) as well as the USB, PCI, IDE, etc, controllers [https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml]. Dolby Laboratories anounced in April 2001, The xbox will feature a new "Dolby Interactive Content Encoder" of which the Xbox is the first console to get this.[https://web.archive.org/web/20010419091049/http://www.codejunkies.com:80/Xbox/news.asp?id=9422][https://www.ign.com/articles/2001/04/16/xbox-to-feature-dolby-digital-51-surround-sound-in-games] == ROM == The MCPX is home to the secret [[MCPX ROM]]. == Pin L21: PC Speaker == The MCPX has a PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface]. However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox. A speaker can be soldered to this pin in order to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/] The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication. <gallery mode="slideshow"> Image:XboxWithPcSpkr.jpg|'' '' Image:XboxPcSpkrTrace.jpg|'' '' Image:XboxPcSpkrSolderPoints.jpg|'' '' </gallery> == See Also == * [[NForce]] * [http://siliconpr0n.org/archive/doku.php?id=azonenberg:nvidia:mcpx Die Inspection] d6b8a3d8a10285fe5abc81f0c021abe0a1d9e2a1 0 3790 6965 6944 2021-06-28T12:59:03Z BinToss 2535 Add MadCatz Memory Card for Xbox wikitext text/x-wiki The memory units are typically formatted with [[FATX]]. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes" |- | Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one |- | ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster" |- | MadCatz Memory Card for Xbox || 0x0738 || 0x4507 || 8MB || Currently unknown if this originally had a front sticker |} == Unlicensed Xbox Memory Units == Some unlicensed Memory Units were made. {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- | Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves" |} == Compatible USB sticks == Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. (It is rumored that the capacity should not exceed 4GB) However, not all devices are compatible, so the following table gives a list of known devices: {| class="wikitable" ! Product name !! VID !! PID !! Capacity !! Notes |- |BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB || |- |USB Mass Storage Device || 0x058F || 0x9381 || 64MB || Generic Mass Storage Device |- |[https://www.aliexpress.com/item/33007483881.html Generic Aliexpress Flash Drive] || 0xABCD || 0x1234 || 128MB|| |- |} == Protocol == === USB Descriptor (Offical Memory Unit) === <pre> Bus 002 Device 003: ID 045e:0280 Microsoft Corp. Xbox Memory Unit (8MB) Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0280 Xbox Memory Unit (8MB) bcdDevice 0.0e iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 60mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 66 bInterfaceProtocol 80 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 </pre> === USB Descriptor (MadCatz Memory Card 2001) === via [https://docs.microsoft.com/en-us/powershell/module/pnpdevice/get-pnpdeviceproperty?view=windowsserver2019-ps Get-PnpDeviceProperty cmdlet] {| class="wikitable" ! InstanceId !! KeyName !! Type !! Data |- | USB\VID_0… || DEVPKEY_Device_HardwareIds || StringList || {USB\VID_0738&PID_4507&REV_000>, USB\VID_0738&PID_4507} |- | USB\VID_0… || DEVPKEY_Device_CompatibleIds || StringList || {USB\Class_08&SubClass_42&Prot_50, USB\Class_08&SubClass_4… |- | USB\VID_0… || DEVPKEY_Device_ConfigFlags || UInt32 || 64 |- | USB\VID_0… || DEVPKEY_Device_LocationInfo || String || Port_#0003.Hub_#0006 |- | USB\VID_0… || DEVPKEY_Device_PDOName || String || \Device\USBPDO-11 |- | USB\VID_0… || DEVPKEY_Device_Capabilities || UInt32 || 4 |- | USB\VID_0… || DEVPKEY_Device_BusTypeGuid || Guid || {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A} |- | USB\VID_0… || DEVPKEY_Device_LegacyBusType || UInt32 || 15 |- | USB\VID_0… || DEVPKEY_Device_BusNumber || UInt32 || 0 |- | USB\VID_0… || DEVPKEY_Device_EnumeratorName || String || USB |- | USB\VID_0… || DEVPKEY_Device_Address || UInt32 || 3 |- | USB\VID_0… || DEVPKEY_Device_PowerData || Binary || {56, 0, 0, 0…} |- | USB\VID_0… || DEVPKEY_Device_RemovalPolicy || UInt32 || 3 |- | USB\VID_0… || DEVPKEY_Device_RemovalPolicyDefault || UInt32 || 3 |- | USB\VID_0… || DEVPKEY_Device_InstallState || UInt32 || 2 |- | USB\VID_0… || DEVPKEY_Device_BaseContainerId || Guid || {B4097C92-D7E7-11EB-B8AF-287FCF765565} |- | USB\VID_0… || DEVPKEY_Device_InstanceId || String || USB\VID_0738&PID_4507\6&4FE9DBE&2&3 |- | USB\VID_0… || DEVPKEY_Device_DevNodeStatus || UInt32 || 25191424 |- | USB\VID_0… || DEVPKEY_Device_ProblemCode || UInt32 || 28 |- | USB\VID_0… || DEVPKEY_Device_ProblemStatus || NTStatus || 3221226640 |- | USB\VID_0… || DEVPKEY_Device_Parent || String || USB\VID_045E&PID_0288\5&c1bd4d0&0&7 |- | USB\VID_0… || DEVPKEY_Device_Siblings || StringList || {USB\VID_045E&PID_0289\6&4fe9dbe&2&1} |- | USB\VID_0… || DEVPKEY_Device_SafeRemovalRequired || Boolean || False |- | USB\VID_0… || DEVPKEY_Device_ContainerId || Guid || {B4097C92-D7E7-11EB-B8AF-287FCF765565} |- | USB\VID_0… || DEVPKEY_Device_IsPresent || Boolean || True |- | USB\VID_0… || DEVPKEY_Device_HasProblem || Boolean || True |- | USB\VID_0… || {83DA6326-97A6-4088-9453-A1923F573B29} 15 || Boolean || True |- | USB\VID_0… || DEVPKEY_Device_IsRebootRequired || Boolean || False |- | USB\VID_0… || DEVPKEY_Device_ReportedDeviceIdsHash || UInt32 || 1284365040 |- | USB\VID_0… || DEVPKEY_Device_InLocalMachineContainer || Boolean || False |- | USB\VID_0… || DEVPKEY_Device_Stack || StringList || {\Driver\USBHUB3} |- | USB\VID_0… || {A8B865DD-2E3D-4094-AD97-E593A70C75D6} 26 || Boolean || False |- | USB\VID_0… || {3464F7A4-2444-40B1-980A-E0903CB6D912} 10 || UInt32 || 3 |- | USB\VID_0… || DEVPKEY_Device_ConfigurationId || String || |- | USB\VID_0… || {80497100-8C73-48B9-AAD9-CE387E19C56E} 6 || UInt32 || 0 |- | USB\VID_0… || {83DA6326-97A6-4088-9453-A1923F573B29} 5 || Error || 3758096936 |- | USB\VID_0… || {83DA6326-97A6-4088-9453-A1923F573B29} 10 || String || USB\VID_045E&PID_0288\5&c1bd4d0&0&7 |- | USB\VID_0… || DEVPKEY_Device_InstallDate || FileTime || 2021-06-28 4:48:12 AM |- | USB\VID_0… || DEVPKEY_Device_FirstInstallDate || FileTime || 2021-06-28 4:48:12 AM |- | USB\VID_0… || DEVPKEY_Device_LastArrivalDate || FileTime || 2021-06-28 4:48:12 AM |- | USB\VID_0… || DEVPKEY_Device_LocationPaths || StringList || {PCIROOT(0)#PCI(1400)#USBROOT(0)#USB(7)#USB(3), ACPI(_SB_)… |} == References == * [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz] * [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm] * [https://imgur.com/a/yOwZdUe MadCatz Memory Card for Xbox (2001-09-26 PCB)] * [https://www.lukiegames.com/xbox-madcatz-memory-card-xbox-360-accessory MadCatz Memory Card for Xbox (2005-07-14 PCB)] * [https://xbox.fandom.com/wiki/Mad_Catz_Memory_Card Mad Catz Memory Card on the Xbox Fandom wiki, for redundancy's sake] 0314ae20dde1f2d1c3bacf87947cecd3fa99b314 0 3965 6966 6521 2021-08-08T16:36:30Z Lycoder 2537 numSongGroups doesn't actually count the amount of song groups, but the amount of songs in the soundtrack, change to numSongs. wikitext text/x-wiki The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The notes gathered here are from decompiling StDB.dll from ''Xbox Soundtrack Manager''. == Folder Structure == All soundtrack related data is stored in E:\TDATA\fffe0000. Songs are organized into groups of folders containing up to 6 WMA files. Zero-padded 4 decimal integers are used for the folder names, and zero-padded 8 decimal integers are used for the WMA file names. Metadata such as song title and which soundtrack a song belongs to is stored in the ST.DB file == ST.DB == The ST.DB file contains information about soundtracks loaded on the Xbox. Up to 100 soundtracks with 500 songs each can be used. Each header and struct described below is padded to 512 bytes, and all values are stored as little-endian. '''File Layout:''' <pre>(start of file) 0000 Main Header 0200 Soundtrack Struct 1 0400 [Soundtrack Struct 2] ... (Zero-filled) CA00 Song Group 1 CC00 [Song Group 2] ... (end of file) </pre> === Main Header === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00000001 |- | int32 | numSoundtracks | |- | int32 | nextSoundtrackId | |- | int32 | soundtrackIds[100] | |- | int32 | nextSongId | |- | char | padding[96] | |} === Soundtrack Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00021371 |- | int32 | id | |- | uint32 | numSongs | |- | int32 | songGroupIds[84] | |- | int32 | totalTimeMilliseconds | |- | wchar | name[64] | Unicode{{FIXME|reason=Encoding? UCS-2?}} string |- | char | padding[64] | |} === Song Group Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00031073 |- | int32 | soundtrackId | |- | int32 | id | |- | int32 | padding | |- | int32 | songId[6] | |- | int32 | songTimeMilliseconds[6] | |- | wchar | songName[192] | 6 Unicode{{FIXME|reason=Encoding? UCS-2?}} strings, each padded to 64 characters |- | char | padding[64] | |} == Default Encoding Settings == These are the encoding settings used by the dashboard when encoding WMA files: {| class="wikitable" ! Key ! Value |- | Format | WMA Version 2 |- | Codec Description | Windows Media Audio V8 |- | Encoding Tool | Windows Media Encoding Utility 8.0.0.403 |- | Bit Rate | 128 kbps |- | Channels | 2 |- | Sampling Rate | 44.1 kHz |- | Bit Depth | 16 bit |} The track number is added to the metadata. 8a62cc7c77162b343c999bdb98139cedb04e4690 6972 6966 2021-11-03T03:08:29Z KaosEngineer 2482 /* Folder Structure */ soundtrack NNNN named subfolders are created in E:\TDATA\fffe0000\music\. wikitext text/x-wiki The Xbox allows for soundstracks to be stored on the harddrive and played in-game. Music is copied from audio CDs using the dashboard and converted to WMA audio files. The notes gathered here are from decompiling StDB.dll from ''Xbox Soundtrack Manager''. == Folder Structure == All soundtrack related data is stored in E:\TDATA\fffe0000\. Songs are organized into groups of folders containing up to 6 WMA files. Zero-padded 4 decimal integers are used for the folder names stored in a subfolder named music, and zero-padded 8 decimal integers are used for the WMA file names. Metadata such as song title and which soundtrack a song belongs to is stored in the ST.DB file == ST.DB == The ST.DB file contains information about soundtracks loaded on the Xbox. Up to 100 soundtracks with 500 songs each can be used. Each header and struct described below is padded to 512 bytes, and all values are stored as little-endian. '''File Layout:''' <pre>(start of file) 0000 Main Header 0200 Soundtrack Struct 1 0400 [Soundtrack Struct 2] ... (Zero-filled) CA00 Song Group 1 CC00 [Song Group 2] ... (end of file) </pre> === Main Header === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00000001 |- | int32 | numSoundtracks | |- | int32 | nextSoundtrackId | |- | int32 | soundtrackIds[100] | |- | int32 | nextSongId | |- | char | padding[96] | |} === Soundtrack Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00021371 |- | int32 | id | |- | uint32 | numSongs | |- | int32 | songGroupIds[84] | |- | int32 | totalTimeMilliseconds | |- | wchar | name[64] | Unicode{{FIXME|reason=Encoding? UCS-2?}} string |- | char | padding[64] | |} === Song Group Struct === {| class="wikitable" ! Type ! Description ! Comment |- | int32 | magic | always 0x00031073 |- | int32 | soundtrackId | |- | int32 | id | |- | int32 | padding | |- | int32 | songId[6] | |- | int32 | songTimeMilliseconds[6] | |- | wchar | songName[192] | 6 Unicode{{FIXME|reason=Encoding? UCS-2?}} strings, each padded to 64 characters |- | char | padding[64] | |} == Default Encoding Settings == These are the encoding settings used by the dashboard when encoding WMA files: {| class="wikitable" ! Key ! Value |- | Format | WMA Version 2 |- | Codec Description | Windows Media Audio V8 |- | Encoding Tool | Windows Media Encoding Utility 8.0.0.403 |- | Bit Rate | 128 kbps |- | Channels | 2 |- | Sampling Rate | 44.1 kHz |- | Bit Depth | 16 bit |} The track number is added to the metadata. 2e9732bd8a418c53942c2d618abd4933b545844b 0 3708 6967 6621 2021-09-29T11:05:23Z Teufelchen 2518 wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * Most up to date: [https://hackmd.io/DXo0p8VnQLy3XQ7YR1Ny_w?view The FATX filesystem] * Archive of the xbox-linux project from 2010: [https://web.archive.org/web/20100617022009/http://www.xbox-linux.org/wiki/Differences_between_Xbox_FATX_and_MS-DOS_FAT Differences between Xbox FATX and MS-DOS FAT] * Private writings from 2002: [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] a706f00e80868180cc1414cca4ffdfd8babaac22 0 3706 6968 6942 2021-10-06T17:13:26Z Thrimbor 2531 Add info about the LibraryVersion Table wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. Standard windows format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from. |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == LibraryVersion Table == {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |- ! 0x0008 ! 0x0002 | Major Version | Major version for this library (2-byte WORD). |- ! 0x000A ! 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |- ! 0x000C ! 0x0002 | Build Version | Build version for this library (2-byte WORD). |- ! 0x000E ! 0x0002 | Library Flags | Various flags for this library. The fields are: QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] c30e4525d025a70aa23a8b32909a723ec84cbf2c 0 3768 6969 6946 2021-10-15T02:39:27Z Ryzee119 2519 Add DVD Playback IR dongle Firmware dump protocol wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |- | X08-25597 || Indonesia || 1.1 || 4 || 229790 Bytes || <code>1E6D7F4F526B56527447AA09EDA41FFF05665A16</code> || |- | X08-96288-002 || Indonesia || 1.1 || 3 || 229790 Bytes || <code>0447373BF9326DFF95808CD028ED19FACD54C759</code> || |} === USB Protocol === ==== USB Descriptor ==== <pre> Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0284 Xbox DVD Playback Kit bcdDevice 0.0a iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0022 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x00 (Missing must-be-set bit!) (Bus Powered) MaxPower 0mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 89 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 </pre> ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote) // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed. The keycodes read from an official Microsoft IR remote are as follows: {| class="wikitable" !Button !data_low !data_high |- |INFO |0xC3 |0x0A |- |9 |0xC6 |0x0A |- |8 |0xC7 |0x0A |- |7 |0xC8 |0x0A |- |6 |0xC9 |0x0A |- |5 |0xCA |0x0A |- |4 |0xCB |0x0A |- |3 |0xCC |0x0A |- |2 |0xCD |0x0A |- |1 |0xCE |0x0A |- |0 |0xCF |0x0A |- |SELECT |0x0B |0x0A |- |UP |0xA6 |0x0A |- |DOWN |0xA7 |0x0A |- |RIGHT |0xA8 |0x0A |- |LEFT |0xA9 |0x0A |- |STOP |0xE0 |0x0A |- |REVERSE |0xE2 |0x0A |- |FORWARD |0xE3 |0x0A |- |TITLE |0xE5 |0x0A |- |PAUSE |0xE6 |0x0A |- |PLAY |0xEA |0x0A |- |POWER |0xD5 |0x0A |- |BACK |0xD8 |0x0A |- |SKIP- |0xDD |0x0A |- |SKIP+ |0xDF |0x0A |- |MENU |0xF7 |0x0A |- |} ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit (PC Python based) or https://github.com/Ryzee119/Dongle_Dumper (Xbox homebrew). The firmware locatedn on the DVD dongle is accessed over USB by a vendor specific control request. The setup packet for the control transfer should have the below format: {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Field !! Value !! Notes |- | bmRequestType || 0xC1 || Device-to-host / Vendor / Interface. |- | bRequest || 1 or 2 || 1 = Request ROM info, 2 = Request ROM data. |- | wValue || What 1024 byte chunk || 0 = the first 1024 bytes, 1 = Second 1024 bytes etc. |- | wIndex || 1 (Normally) || Should point to the bInterfaceNumber that has a bInterfaceClass of 0x59. That happens to be 1 on most DVD Playback dongles. |- | wLength || Up to 1024 || Number of bytes to read from chunk set by wValue. Note the max value here is 1024. To read the next chunk, issue another setup packet with a new wValue. |- |} bRequest = 1 can be used to obtain the header of the ROM. This is a 6 byte header in the form: <pre> typedef struct { uint16_t version; //The version of the embedded ROM uint32_t rom_size; //In bytes } xremote_info_t; </pre> The rom size can then be used with bRequest = 2 to obtain the entire ROM contents. It should be noted that the ROM header obtained with bRequest = 2 is also present at the first 6 bytes of the full ROM image. So it is possible to obtain the ROM header info with bRequest = 2 requesting the first 6 bytes. === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] 8bae0875ccdff3e94288168f3103d9f6fa2a4c18 6974 6969 2022-01-26T16:42:20Z JohnVeness 2539 /* References */ Added MS link wikitext text/x-wiki [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] ==Introduction== The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. == Remote Control == === Infrared interface === {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} <pre> struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data }; </pre> The first part of the transfer consists of the negated data signal (<code>check</code>). The data integrity can be confirmed by XOR-ing both parts: <pre> check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF </pre> The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. == Dongle == The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down. Additionally the dongle contains an IR receiver to receive commands from the Remote control. === Known versions === {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |- | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |- | X08-25387 || Indonesia || || || || || |- | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB |- | X08-25597 || Indonesia || 1.1 || 4 || 229790 Bytes || <code>1E6D7F4F526B56527447AA09EDA41FFF05665A16</code> || |- | X08-96288-002 || Indonesia || 1.1 || 3 || 229790 Bytes || <code>0447373BF9326DFF95808CD028ED19FACD54C759</code> || |} === USB Protocol === ==== USB Descriptor ==== <pre> Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0284 Xbox DVD Playback Kit bcdDevice 0.0a iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0022 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x00 (Missing must-be-set bit!) (Bus Powered) MaxPower 0mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 89 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 </pre> ==== Infrared signals ==== <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: <pre> struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote) // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; }; </pre> When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed. The keycodes read from an official Microsoft IR remote are as follows: {| class="wikitable" !Button !data_low !data_high |- |INFO |0xC3 |0x0A |- |9 |0xC6 |0x0A |- |8 |0xC7 |0x0A |- |7 |0xC8 |0x0A |- |6 |0xC9 |0x0A |- |5 |0xCA |0x0A |- |4 |0xCB |0x0A |- |3 |0xCC |0x0A |- |2 |0xCD |0x0A |- |1 |0xCE |0x0A |- |0 |0xCF |0x0A |- |SELECT |0x0B |0x0A |- |UP |0xA6 |0x0A |- |DOWN |0xA7 |0x0A |- |RIGHT |0xA8 |0x0A |- |LEFT |0xA9 |0x0A |- |STOP |0xE0 |0x0A |- |REVERSE |0xE2 |0x0A |- |FORWARD |0xE3 |0x0A |- |TITLE |0xE5 |0x0A |- |PAUSE |0xE6 |0x0A |- |PLAY |0xEA |0x0A |- |POWER |0xD5 |0x0A |- |BACK |0xD8 |0x0A |- |SKIP- |0xDD |0x0A |- |SKIP+ |0xDF |0x0A |- |MENU |0xF7 |0x0A |- |} ==== Firmware download ==== See https://github.com/XboxDev/dump-dvd-kit (PC Python based) or https://github.com/Ryzee119/Dongle_Dumper (Xbox homebrew). The firmware locatedn on the DVD dongle is accessed over USB by a vendor specific control request. The setup packet for the control transfer should have the below format: {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> ! Field !! Value !! Notes |- | bmRequestType || 0xC1 || Device-to-host / Vendor / Interface. |- | bRequest || 1 or 2 || 1 = Request ROM info, 2 = Request ROM data. |- | wValue || What 1024 byte chunk || 0 = the first 1024 bytes, 1 = Second 1024 bytes etc. |- | wIndex || 1 (Normally) || Should point to the bInterfaceNumber that has a bInterfaceClass of 0x59. That happens to be 1 on most DVD Playback dongles. |- | wLength || Up to 1024 || Number of bytes to read from chunk set by wValue. Note the max value here is 1024. To read the next chunk, issue another setup packet with a new wValue. |- |} bRequest = 1 can be used to obtain the header of the ROM. This is a 6 byte header in the form: <pre> typedef struct { uint16_t version; //The version of the embedded ROM uint32_t rom_size; //In bytes } xremote_info_t; </pre> The rom size can then be used with bRequest = 2 to obtain the entire ROM contents. It should be noted that the ROM header obtained with bRequest = 2 is also present at the first 6 bytes of the full ROM image. So it is possible to obtain the ROM header info with bRequest = 2 requesting the first 6 bytes. === Components === Different versions of the dongle seem to use different hardware internally. ==== X08-25387-002 (PCB: "X01469-100") ==== * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} * U2 TSOP-1556 * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} ==== X08-25387 (PCB: "IR DONGLE REV B") ==== [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] * U3 MX23C4000TC-10 {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d ==== Unknown version (PCB: "REV C.") ==== [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] [[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]] * U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt; : This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside. * U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt; : This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver. * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt; : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt; : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. == References == * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] * [https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/817041 Microsoft KB817041 document "Xbox: Description of the DVD Movie Playback Kit"] ffc92459206ae156859a8719daf875a0d9467f9a 0 3912 6970 6343 2021-10-23T02:10:16Z KaosEngineer 2482 Updated PlasticsToday URL to one that has the pictures and not 3 redirects on the Wayback Machine to access it. wikitext text/x-wiki [[File:Manufacturing26.jpg|thumb|Sárvár, Hungary factory]] The Xbox was manufactured by Flextronics in four locations throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; Doumen, China; and Taiwan{{FIXME|reason=City?}}. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, China is 05, and Taiwan is 06. So this Xbox was the 166,356^th to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. The bar code is the 12-digit serial number in standard [https://en.wikipedia.org/wiki/Code_39 Code 39] format. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. <gallery> File:Manufacturing19.jpg|Plastic case molding & assembly. File:Manufacturing18.jpg|Lids File:Manufacturing9.jpg|Green jewels File:Manufacturing10.jpg|Green jewels File:Manufacturing16.jpg|Jewels are dispensed from hoppers. File:Manufacturing7.jpg|Lid shield is positioned. File:Manufacturing3.jpg|Lid is placed over shield. File:Manufacturing5.jpg|Jewel is aligned... File:Manufacturing4.jpg|...and then applied. File:Manufacturing6.jpg|The tape is left on to prevent scratches. File:Manufacturing15.jpg|Shield and drive caddies are installed in the bottom half. File:Manufacturing20.jpg|Assembled cases are placed on pallets. File:Manufacturing11.jpg File:Manufacturing12.jpg File:Manufacturing13.jpg File:Manufacturing14.jpg|Cases ready for their electronics. File:Manufacturing25.jpg|Components arrive in bulk at the assembly line. File:Manufacturing26.jpg File:Manufacturing24.jpg|Technicians assemble components. File:Manufacturing23.jpg File:Manufacturing22.jpg File:Manufacturing27.jpg File:Manufacturing28.jpg File:Manufacturing21.jpg|Fully assembled consoles are placed on carts, ready for initialization. </gallery> == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <gallery> File:Manufacturing30.jpg|Consoles are initialized by setup program. File:Manufacturing33.jpg|Initialized consoles undergo final integration testing. File:Manufacturing34.jpg File:Manufacturing2.jpg </gallery> == Packing and shipping == <gallery> File:Manufacturing17.jpg|Styrofoam inserts are prepared. File:Manufacturing31.jpg|Consoles are packed into boxes. File:Manufacturing32.jpg|Boxes are sealed... File:Manufacturing29.jpg|...and loaded on pallets, ready for shipping. </gallery> == Videos == * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Factory Tour Video (Sárvár, Hungary; 2002)] - Demonstrates almost the entire assembly process from start to finish (not including case manufacturing). * [https://www.youtube.com/watch?v=_iR0eNuyUKI Flextronics Advertisement] - Contains still photos of the PCB manufacturing and testing processes. == Further Reading == * [https://web.archive.org/web/20100617013616/http://www.ifm.eng.cam.ac.uk/ctm/idm/cases/xbox.html Case study - Microsoft Xbox], Innovation and Design Management, University of Cambridge * O'Brien, J. [https://web.archive.org/web/20100617013616/http://www.wired.com/wired/archive/9.11/flex_pr.html The making of the Xbox], Wired, Issue 9.11, November 2001 * Shah, J. and Serant, C. [https://web.archive.org/web/20100617013616/http://www.ebnonline.com/story/OEG20020311S0076 Microsoft's Xbox sets supply chain standard], EBN Online, 11 March 2002 * Olavsrud, T. [https://web.archive.org/web/20100617013616/http://www.internetnews.com/bus-news/article.php/1129171 Flextronics relocates Xbox manufacturing facility], Internetnews.com, 15 May 2002 * Penz, B. [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-06/articles/16-06_27.asp Game Over? Xbox production heads east], Business Hungary, Vol 16 No 6, June 2002 * Carbone, J. [https://web.archive.org/web/20100617013616/http://manufacturing.net/pur/article/CA237778?stt=001&pubdate=08%2F15%2F02 Outsourcing the Xbox], Purchasing Magazine Online, 15 August 2002 * Neilley, R. [https://www.plasticstoday.com/molding-big-man-campus], PlasticsToday, 1 December 2001 == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. Production line photos are from [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ Andy Rostad's gallery]. e6bcf998e394edfa1335382fd87e42d5f66c9f9d 6971 6970 2021-10-23T02:13:48Z KaosEngineer 2482 Fixed link to show more than [1] but the article title. wikitext text/x-wiki [[File:Manufacturing26.jpg|thumb|Sárvár, Hungary factory]] The Xbox was manufactured by Flextronics in four locations throughout its lifetime: Guadalajara, Mexico; Sárvár, Hungary; Doumen, China; and Taiwan{{FIXME|reason=City?}}. == Serial Number == [[File:Serial-sticker.jpg|frame|An example of a serial number sticker]] Every Xbox has a sticker on the bottom with a manufacturing date and a 12-digit serial number. The serial number encodes information about where and when the hardware was manufactured. Using the pictured serial number as an example: {| class="wikitable" style="text-align:center" ! Line !! Number !! Year !! Week !! Factory |- | 1 || 166356 || 2 || 09 || 03 |} The first field is the factory production line number. The second field is the Xbox's number for the week (for the whole factory, not just the one line). The third field is the last digit of the year. The fourth field is the week of the year. Finally, the fifth field is the factory number. Mexico is 02, Hungary is 03, China is 05, and Taiwan is 06. So this Xbox was the 166,356^th to be manufactured in week 9 of the year 2002 on production line 1 in Sárvár, Hungary. The bar code is the 12-digit serial number in standard [https://en.wikipedia.org/wiki/Code_39 Code 39] format. == Timeline == {| class="wikitable" ! scope="col" | ! scope="col" | Mexico ! scope="col" | Hungary ! scope="col" | China |- ! colspan=4 scope="col" | 2001 |- ! scope="row" | October | colspan=2 | Production of 110V 1.0 Xboxes with Thomson DVD drives begins for USA/Canada. | style="background:white" | |- ! colspan=4 scope="col" | 2002 |- ! scope="row" | January | Production begins for Japan. | Production switches to 220V 1.0 models for Europe/Australia. | style="background:white" | |- ! scope="row" | April | Production lines 1 and 6 are moved to China. 50% of new units now produced with Philips DVD drives. | | {{FIXME|reason=Which markets did China take up production for?}} |- ! scope="row" | May | | Production stops after ~3 million units. All four production lines moved to China. | |- ! scope="row" | August | | style="background:white" | | Production of the 220V 1.1 Xbox for Europe/Australia begins, with mostly Philips and sometimes Thomson DVD drives. |- ! scope="row" | September | | style="background:white" | | Most units now use Samsung DVD drives. |- ! scope="row" | October | Remaining four lines switched to version 1.1. | style="background:white" | | |- ! scope="row" | November | | style="background:white" | | Production extended to 110V USA/Canada/Japan models. |- ! scope="row" | December | Production ends after ~7 million units. | style="background:white" | | First line changes to version 1.2. |- ! colspan=4 scope="col" | 2003 |- ! scope="row" | February | style="background:white" | | style="background:white" | | Last line changes to version 1.2. |- ! scope="row" | March | style="background:white" | | style="background:white" | | First line changes to version 1.3. |- ! scope="row" | April | style="background:white" | | style="background:white" | | Last line changes to version 1.3. |- ! scope="row" | July | style="background:white" | | style="background:white" | | First line changes to version 1.4. |- ! scope="row" | August | style="background:white" | | style="background:white" | | First line changes to version 1.5. |- ! colspan=4 scope="col" | 2004 {{FIXME|reason=Need timeline for 1.6 models.}} |- ! scope="row" | ? | style="background:white" | | style="background:white" | | ? |} == Hardware assembly == The Xbox was manufactured just like many other mass-produced electronic products. Printed circuit boards were made in bulk and populated by pick-and-place machines, the plastic case was formed by injection molding, and finally all of the pieces were assembled by hand on production lines. The overall process didn't vary much between hardware revisions. The only notable change was related to the BIOS ROM. Up until version 1.6, the BIOS was flashed onto a TSOP ROM before being soldered to the motherboard. Revision 1.6 introduced the Xyclops chip, which integrated both the [[System Management Controller]] and the BIOS ROM on a single die. This meant the BIOS had to be flashed by the chip manufacturer instead of on the Xbox production line. <gallery> File:Manufacturing19.jpg|Plastic case molding & assembly. File:Manufacturing18.jpg|Lids File:Manufacturing9.jpg|Green jewels File:Manufacturing10.jpg|Green jewels File:Manufacturing16.jpg|Jewels are dispensed from hoppers. File:Manufacturing7.jpg|Lid shield is positioned. File:Manufacturing3.jpg|Lid is placed over shield. File:Manufacturing5.jpg|Jewel is aligned... File:Manufacturing4.jpg|...and then applied. File:Manufacturing6.jpg|The tape is left on to prevent scratches. File:Manufacturing15.jpg|Shield and drive caddies are installed in the bottom half. File:Manufacturing20.jpg|Assembled cases are placed on pallets. File:Manufacturing11.jpg File:Manufacturing12.jpg File:Manufacturing13.jpg File:Manufacturing14.jpg|Cases ready for their electronics. File:Manufacturing25.jpg|Components arrive in bulk at the assembly line. File:Manufacturing26.jpg File:Manufacturing24.jpg|Technicians assemble components. File:Manufacturing23.jpg File:Manufacturing22.jpg File:Manufacturing27.jpg File:Manufacturing28.jpg File:Manufacturing21.jpg|Fully assembled consoles are placed on carts, ready for initialization. </gallery> == Software initialization == When a fully-assembled Xbox reached the end of the production line, it had a: * valid BIOS image * blank EEPROM * blank, unlocked hard disk To initialize the EEPROM and hard disk in the final stage of production, a technician would insert a DVD containing a setup program. The setup program, named default.xbe just like any other primary Xbox executable, was built by the XDK with the "allow eject" flag set and the region code set to 0x80000000 ("DEBUG"). When the Xbox kernel initializes, it checksums the EEPROM. If it fails, the Xbox will be in DEBUG mode, i.e. the region code is set to 0x80000000. With the region code set to this value, the kernel ignores it if the hard disk is not locked. Because the region code matches, the kernel will run the executable from the DVD, which does the following: # Format the three swap partitions # Copy XMTAXBOX.XBE from the DVD to the first cache partition and run it Then the DVD can be ejected and put into the next Xbox. === XMTAXBOX.XBE === This XMTAXBOX.XBE is an XBE retail-signed for hard disk, also with the region code set to 0x80000000, that does the following: # Retrieve the EEPROM contents from a network server # Retrieve the contents of the system and data partitions from a network server # Lock the hard disk # Run some self tests and send a report to the server A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one. Xbox kernels since version 4034 have another backdoor that even works if the EEPROM check succeeds: If bit 30 of the media flag of an XBE is set, the condition of the hard disk is ignored as well. This change allows Microsoft to replace broken hard disks without replacing a valid EEPROM on an Xbox sent in for repair. Before this change, they had to rewrite the EEPROM whenever they replaced the drive. <gallery> File:Manufacturing30.jpg|Consoles are initialized by setup program. File:Manufacturing33.jpg|Initialized consoles undergo final integration testing. File:Manufacturing34.jpg File:Manufacturing2.jpg </gallery> == Packing and shipping == <gallery> File:Manufacturing17.jpg|Styrofoam inserts are prepared. File:Manufacturing31.jpg|Consoles are packed into boxes. File:Manufacturing32.jpg|Boxes are sealed... File:Manufacturing29.jpg|...and loaded on pallets, ready for shipping. </gallery> == Videos == * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Factory Tour Video (Sárvár, Hungary; 2002)] - Demonstrates almost the entire assembly process from start to finish (not including case manufacturing). * [https://www.youtube.com/watch?v=_iR0eNuyUKI Flextronics Advertisement] - Contains still photos of the PCB manufacturing and testing processes. == Further Reading == * [https://web.archive.org/web/20100617013616/http://www.ifm.eng.cam.ac.uk/ctm/idm/cases/xbox.html Case study - Microsoft Xbox], Innovation and Design Management, University of Cambridge * O'Brien, J. [https://web.archive.org/web/20100617013616/http://www.wired.com/wired/archive/9.11/flex_pr.html The making of the Xbox], Wired, Issue 9.11, November 2001 * Shah, J. and Serant, C. [https://web.archive.org/web/20100617013616/http://www.ebnonline.com/story/OEG20020311S0076 Microsoft's Xbox sets supply chain standard], EBN Online, 11 March 2002 * Olavsrud, T. [https://web.archive.org/web/20100617013616/http://www.internetnews.com/bus-news/article.php/1129171 Flextronics relocates Xbox manufacturing facility], Internetnews.com, 15 May 2002 * Penz, B. [https://web.archive.org/web/20100617013616/http://www.amcham.hu/BusinessHungary/16-06/articles/16-06_27.asp Game Over? Xbox production heads east], Business Hungary, Vol 16 No 6, June 2002 * Carbone, J. [https://web.archive.org/web/20100617013616/http://manufacturing.net/pur/article/CA237778?stt=001&pubdate=08%2F15%2F02 Outsourcing the Xbox], Purchasing Magazine Online, 15 August 2002 * Neilley, R. [https://www.plasticstoday.com/molding-big-man-campus Molding is big man on this campus], PlasticsToday, 1 December 2001 == Credits == This article is adapted from [https://web.archive.org/web/20100617013616/http://www.xbox-linux.org/wiki/Xbox_Manufacturing_Process Xbox Manufacturing Process] by Michael Steil. Its content is reproduced here under the [https://www.gnu.org/licenses/old-licenses/fdl-1.2.en.html GNU Free Documentation License 1.2]. Production line photos are from [https://web.archive.org/web/20100608022830/http://andy.saturn9.ws:80/Photo%20Albums/Xbox%20Manufacturing%20Facility/ Andy Rostad's gallery]. af791e72e26662577f7733c61e7665039805aff3 0 3688 6973 6448 2022-01-12T19:22:58Z Haxar 2485 Former freenode is now Libera.Chat; gitter link is decommissioned wikitext text/x-wiki <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> <div style="font-size: 162%; border: none; margin: 0; padding:.1em;">Welcome to XboxDevWiki.net,</div> <div style="font-size: 95%">a wiki dedicated to research of the original Microsoft Xbox.</div> <div style="text-align:left;"> <hr> XboxDevWiki is an effort to document the inner workings of the original Microsoft Xbox and Xbox-based SEGA Chihiro. We not only care about technical details about those platforms, but also how to develop homebrew and emulate them. We are not interested in documenting the Xbox 360, Xbox One or any other console at this point. Also check out the [https://github.com/xboxdev XboxDev GitHub organization] where we provide tools and code related to Xbox research and development. <hr> '''Want to help? Contact us!''' This wiki is the place for all remaining Xbox projects to come together. Please come chat with us in [https://discord.gg/WxJPPyz XboxDev on Discord] or in [irc://irc.libera.chat/xqemu #xqemu on Libera.Chat IRC] ([https://web.libera.chat/#xqemu Webchat]). You'll also get the details for wiki account creation there. </div> </div> e4d3a8d5c33561c67f6aa0fa8b28b41a2f797b20 1 4011 6975 2022-01-31T09:35:55Z JohnVeness 2539 Created page with "== Roms == I have an X08-25387 from which I could probably dump the ROM. Is there a repository somewhere to upload/store them? Also, what is the "Version" in the wiki table (a..." wikitext text/x-wiki == Roms == I have an X08-25387 from which I could probably dump the ROM. Is there a repository somewhere to upload/store them? Also, what is the "Version" in the wiki table (always seems to be 1.1)? --[[User:JohnVeness|JohnVeness]] ([[User talk:JohnVeness|talk]]) 09:35, 31 January 2022 (UTC) 0d4e1dde1f289ff9af05bd2301d04ebb145c2b0c 0 3906 6976 6295 2022-02-04T11:23:15Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft All games with xblayout > 4808 use a new random padding algorithm. Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2, but Microsoft upgraded their tool to use new random padding. * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4721 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 529b99f8d7c2f4c0b9d50284aa9384e5a2e163b3 6977 6976 2022-02-04T11:24:45Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft All games with xblayout > 4808 use a new random padding algorithm. Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2, but Microsoft upgraded their tool to use new random padding. * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4721 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 9b83ec7238474cb36d9706247c83f9eedaa835d5 6978 6977 2022-02-04T11:25:17Z Qubits 2540 /* Wave 3 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft All games with xblayout > 4808 use a new random padding algorithm. Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4721 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 455c64a82bfb4d8af0142f864458fbf79e9bbc37 6979 6978 2022-02-04T11:27:03Z Qubits 2540 /* Version 3926 - 4808 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft All games with xblayout > 4808 use a new random padding algorithm. Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] bb5d56da022a776e0cce26e2c15649ffb2305840 6980 6979 2022-02-09T08:19:59Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft All games with xblayout > 4808 use a new random padding algorithm. Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (Europe) (Rev 1) ** xblayout version: 1.0.4721.1 (new algorithm) * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] e0747cca3a94f54b3b164350a9a2e2e9901ab170 6981 6980 2022-02-09T10:04:47Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft All games with xblayout > 4808 use a new random padding algorithm. Microsoft generated the final image. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Classic) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 3ce172f8a070ec59bed8ce331beae96cb9b267ea 6982 6981 2022-02-09T10:07:54Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Classic) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] f2863f93ef35f31af1ef35fd0858a2e02a38cf5f 6983 6982 2022-02-09T10:45:17Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] fc99b4f91c1db97667230b05cf8b8b2fcb7af971 6984 6983 2022-02-09T10:47:02Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 11fed878ddfc42ed3ef8665ef73aada2336ad947 0 4006 6985 6922 2022-02-13T22:39:27Z Useruser 2541 Add Chihiro info, taken from a single row power connector Chihiro, it's likely the dual row will have different values wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | ? | ? | ? | ? | "1.2" | ? | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 461532733706 | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro (Single Row)" | 346301512362 | N | Andy |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | ? | "Development Kit" | Y | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 174431fb82809a59b96c6c72644229130345dff9 6 4012 6986 2022-02-14T20:19:08Z Useruser 2541 playright dvt3 1 wikitext text/x-wiki playright dvt3 1 b37b326624d2d0585998555497397cda40293245 6 4013 6987 2022-02-14T20:19:28Z Useruser 2541 playright dvt3 2 wikitext text/x-wiki playright dvt3 2 4aa264ff77403c74b8753fdac558477afac709aa 6 4014 6988 2022-02-14T20:20:08Z Useruser 2541 playright dvt3 3 wikitext text/x-wiki playright dvt3 3 f6aab7e705e61ce93fab1f3bc7e99d473390aeac 6 4015 6989 2022-02-14T20:20:31Z Useruser 2541 playright dvt3 4 wikitext text/x-wiki playright dvt3 4 6fc61510951e86ced0c0cd8d6e8ba03a64251a76 6 4016 6990 2022-02-14T20:20:52Z Useruser 2541 playright dvt3 5 wikitext text/x-wiki playright dvt3 5 6ba13b697a8a64d730ad52336f1cc561a8b483bd 6 4017 6991 2022-02-14T20:21:14Z Useruser 2541 playright dvt3 6 wikitext text/x-wiki playright dvt3 6 d04fb00fdb59bc7d3899f627f1290f99e1fa9b76 6 4018 6992 2022-02-14T20:21:36Z Useruser 2541 playright dvt3 7 wikitext text/x-wiki playright dvt3 7 6de386092b2b5503d27ecd1466ed017b34f9c527 6 4019 6993 2022-02-14T20:22:01Z Useruser 2541 playright dvt3 8 wikitext text/x-wiki playright dvt3 8 dffb5990003f43250da261589a858c284e0fa68e 6 4020 6994 2022-02-14T20:23:49Z Useruser 2541 playright dvt3 9 wikitext text/x-wiki playright dvt3 9 d1f13e16837e8eaa514943ec12d111466104e002 6 4021 6995 2022-02-14T20:26:03Z Useruser 2541 random ag poster dvt3 1 wikitext text/x-wiki random ag poster dvt3 1 65a7da87a06c19dbc9cc7c47b670b1edc0636ba4 6 4022 6996 2022-02-14T20:26:19Z Useruser 2541 random ag poster dvt3 2 wikitext text/x-wiki random ag poster dvt3 2 2991d590d63b5cc33f9aa651e3f9130005f5037d 6 4023 6997 2022-02-14T20:26:36Z Useruser 2541 random ag poster dvt3 3 wikitext text/x-wiki random ag poster dvt3 3 805c6e93267cc42b22a6e368c93dec52409a943a 6 4024 6998 2022-02-14T20:27:08Z Useruser 2541 Syclopse dvt3 1 wikitext text/x-wiki Syclopse dvt3 1 0e61d25c515e4644220dbdb3e443aaad9f9307db 6 4025 6999 2022-02-14T20:27:24Z Useruser 2541 Syclopse dvt3 2 wikitext text/x-wiki Syclopse dvt3 2 d589c51c165bec75ca24981f8de4a4c81b7b5f70 6 4026 7000 2022-02-14T20:27:59Z Useruser 2541 Syclopse dvt3 3 wikitext text/x-wiki Syclopse dvt3 3 b8bfe36c3639887adc4130d6e1161abf4ac8df95 6 4027 7001 2022-02-14T20:28:42Z Useruser 2541 Syclopse dvt3 4 wikitext text/x-wiki Syclopse dvt3 4 565400be49fe84822ebed14946f764e4f85b1a06 6 4028 7002 2022-02-14T20:29:05Z Useruser 2541 Syclopse dvt3 5 wikitext text/x-wiki Syclopse dvt3 5 345304fee121fcdbeca40cc78bf1721bcf69f666 6 4029 7003 2022-02-14T20:31:07Z Useruser 2541 Syclopse dvt3 6 wikitext text/x-wiki Syclopse dvt3 6 4c7176fbac432617d45c70e6d8ba9e21022770fd 6 4030 7004 2022-02-14T20:31:36Z Useruser 2541 Syclopse dvt3 7 wikitext text/x-wiki Syclopse dvt3 7 9919d806471fa4223159361b0575fa88d1d3f8bb 6 4031 7005 2022-02-14T20:32:07Z Useruser 2541 Syclopse dvt3 8 wikitext text/x-wiki Syclopse dvt3 8 5338574151b99983ef9c179a442b4909e5b921b2 6 4032 7006 2022-02-14T20:32:37Z Useruser 2541 Syclopse dvt3 9 wikitext text/x-wiki Syclopse dvt3 9 e73e6a063bc85b42940463535ec28162c92c10a3 6 4033 7007 2022-02-14T20:33:29Z Useruser 2541 Syclopse dvt3 10 wikitext text/x-wiki Syclopse dvt3 10 dc50ed6397885f9b2dbc81d4b232e40a59201aff 0 4006 7008 6985 2022-02-14T20:42:01Z Useruser 2541 model was in the wrong spot, and we need a better 1.3 run wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | ? | ? | ? | ? | "1.2" | ? | N | |- | ? | ? | ? | ? | "1.3" | ? | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro (Single Row)" | 346301512362 | N | Andy |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 284c2aa2d1f9da9bf03ed025712088ccca8f496d 7012 7008 2022-02-24T02:55:05Z Useruser 2541 add acceptable 1.3 wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | ? | ? | ? | ? | "1.2" | ? | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | N | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro (Single Row)" | 346301512362 | N | Andy |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 735b0dd085c41c53951ead6f04708eea3f950ee5 7014 7012 2022-02-24T18:50:51Z Useruser 2541 Add pre-launch debug kit wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | ? | ? | ? | ? | "1.2" | ? | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | N | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | DXF | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro (Single Row)" | 346301512362 | N | Andy |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 62884e35bfbd78ea179466a056a18555f4154d52 7015 7014 2022-02-24T18:52:36Z Useruser 2541 cato's debug is a really early machine, aug 01 and has a MCP X2 NOT MCPX X2 wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | ? | ? | ? | ? | "1.2" | ? | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | N | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro (Single Row)" | 346301512362 | N | Andy |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 098ad8778e1a3469fdea82a4dc0005ee28505d54 7017 7015 2022-02-25T02:00:56Z Useruser 2541 add acceptable 1.2 wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | N | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | N | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro (Single Row)" | 346301512362 | N | Andy |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCPX X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 5a955a1a7207f4bfe727c92f035ec60741ca17bc 7018 7017 2022-02-25T02:06:28Z Useruser 2541 wikitext text/x-wiki Need a confirmed 1.2 kit (would accept someone testing with a device which requires lframe, missing "Development Kit" boxes - would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | N | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | N | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | N | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | N | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | N | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | N | dracc |- | - | - | - | - | - | - | - | - |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 600370522902 | Y | DarkGabbz "1.0 debug" |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro (Single Row)" | 346301512362 | N | Andy |} Some earlier revisions and ones we can't easily more identify. {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a driveby and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} d387ec057df2f83a8df24e8d939e9c10257344c4 7019 7018 2022-02-25T09:39:17Z Useruser 2541 remodel wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | ? | ? | ? | ? | "Debug Kit - 1.2" | ? | |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} df07200f319f8a0f3bf7b76342a533e2d7b14693 7020 7019 2022-02-25T09:53:16Z Useruser 2541 add a 1.2 debug box, is smc rev correct? wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 604644435005 | Haguero |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 564656b00f8f48f41db594fee550f5121e657cc5 7021 7020 2022-02-26T05:33:46Z Useruser 2541 Undo revision 7020 by [[Special:Contributions/Useruser|Useruser]] ([[User talk:Useruser|talk]]) wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | ? | ? | ? | ? | "Debug Kit - 1.2" | ? | |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} df07200f319f8a0f3bf7b76342a533e2d7b14693 7022 7021 2022-02-28T21:24:16Z Useruser 2541 Add another pre launch debug kit wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | ? | ? | ? | ? | "Debug Kit - 1.2" | ? | |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | ? | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} e13fb1e14c8768e0282fbc42dec58d78bf4927bb 7024 7022 2022-03-03T02:23:34Z Useruser 2541 catawalks board says MCPX X2, surprising, odd board wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | ? | ? | ? | ? | "Debug Kit - 1.2" | ? | |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 50cf200178dd9a2a5d6dcf369d7d3d600d2e8749 7033 7024 2022-03-20T02:31:24Z Useruser 2541 doom has another weird box, machine was made in aug of 01, NULL SN not 0's. wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | ? | ? | ? | ? | "Debug Kit - 1.2" | ? | |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 405eadfe8e1aae649afbd9168b04317986a25fa6 7034 7033 2022-03-21T23:46:38Z Useruser 2541 Add xbox7887's 1.2 debug kit wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | ? | ? | XboxSurgeon's 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo |} 8c699a5dceff32a53acda1c95ab6867ddbddd613 7035 7034 2022-03-21T23:57:10Z Useruser 2541 more info about ' wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo | xbox7887 |} 50b969fbdf74408eaea6113807b76748a5703089 7036 7035 2022-03-21T23:57:59Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 865c8928a36910bf3dbd6cb793bfd928e4fdb100 7039 7036 2022-05-18T19:45:56Z Doom 2542 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} a6a2668aadb06921ecebc679b903b7d0e9373a3f 7041 7039 2022-06-29T22:16:55Z Doom 2542 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | ? | ? | ? | ? | "Chihiro - Dual row connector" | ? | |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | Y | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 6cbb8a564eb84defe7c7c584606aa5af2ac64d9f 0 3906 7009 6984 2022-02-15T21:56:31Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 045674dde5a465cb95d3a691af8b6dae6ee3b036 7010 7009 2022-02-17T22:24:21Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] e6a96ce5f55059c73d6c236be5d4d56b18f1ae0b 7011 7010 2022-02-22T09:44:03Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 1e20957bb826f8943c663fb08394a3360f922921 7023 7011 2022-03-02T12:49:29Z Qubits 2540 /* Wave 2 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === 32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections. * '''Section 1:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] c20af2bf7b91bc113e68c655210c79ddcdc28d70 7025 7023 2022-03-06T07:03:02Z Qubits 2540 /* Volume descriptor */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === The Volume descriptor Sector #32 and #33 of the game partition. * '''Section 1:''' The first 20 Bits is the magic. It is always "MICROSOFT*XBOX*MEDIA". {{FIXME|reason=How does this work?}} * '''Section 2:''' The first 24 Bits is the magic. It is always "XBOX_DVD_LAYOUT_TOOL_SIG". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] abd600ff5751d8419a601a35291f4a7d8cf8d051 7026 7025 2022-03-06T07:11:22Z Qubits 2540 /* Volume descriptor */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === The Volume descriptor Sector #32 and #33 of the game partition. * '''Sector #32:''' {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0x0 || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |- |0x14 || u32 || Root Directory Table Sector || Multiply with 0x800 for offset |- |0x18 || u32 || Root Directory Table Size || Size in bytes. Always multiple of 0x800 |- |0x1C || u64 || || Timestamp |- |0x7EC || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |} * '''Sector #33:''' The first 24 Bits is the magic. It is always "XBOX_DVD_LAYOUT_TOOL_SIG". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] a70b13b677e4d4a4f60ef1c86907f9ee58f24f24 7027 7026 2022-03-06T07:15:17Z Qubits 2540 /* Volume descriptor */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === The Volume descriptor Sector #32 and #33 of the game partition. * '''Sector #32:''' {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0x0 || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |- |0x14 || u32 || Root Directory Table Sector || Multiply with 0x800 for offset |- |0x18 || u32 || Root Directory Table Size || Size in bytes. Always multiple of 0x800 |- |0x1C || u64 || || Timestamp (LDAP/Win32 FILETIME) |- |0x7EC || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |} * '''Sector #33:''' The first 24 Bits is the magic. It is always "XBOX_DVD_LAYOUT_TOOL_SIG". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] e1afbe2b29ea41b8b252c66d95e7cfae202258e6 7028 7027 2022-03-06T09:08:23Z Qubits 2540 /* Version 3926 - 4808 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === The Volume descriptor Sector #32 and #33 of the game partition. * '''Sector #32:''' {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0x0 || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |- |0x14 || u32 || Root Directory Table Sector || Multiply with 0x800 for offset |- |0x18 || u32 || Root Directory Table Size || Size in bytes. Always multiple of 0x800 |- |0x1C || u64 || || Timestamp (LDAP/Win32 FILETIME) |- |0x7EC || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |} * '''Sector #33:''' The first 24 Bits is the magic. It is always "XBOX_DVD_LAYOUT_TOOL_SIG". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. Edit: This assumption is not true, at least not for all instances. For example, all region variants of Conker Live & Reloaded share the same padding stream. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 4e3d8c4798a7e1701b958b78dcbff486136f8027 7029 7028 2022-03-06T09:09:06Z Qubits 2540 /* Version 3926 - 4808 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === The Volume descriptor Sector #32 and #33 of the game partition. * '''Sector #32:''' {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0x0 || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |- |0x14 || u32 || Root Directory Table Sector || Multiply with 0x800 for offset |- |0x18 || u32 || Root Directory Table Size || Size in bytes. Always multiple of 0x800 |- |0x1C || u64 || || Timestamp (LDAP/Win32 FILETIME) |- |0x7EC || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |} * '''Sector #33:''' The first 24 Bits is the magic. It is always "XBOX_DVD_LAYOUT_TOOL_SIG". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] e1afbe2b29ea41b8b252c66d95e7cfae202258e6 7030 7029 2022-03-06T09:09:36Z Qubits 2540 /* Version 4831 - 5849 */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === The Volume descriptor Sector #32 and #33 of the game partition. * '''Sector #32:''' {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0x0 || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |- |0x14 || u32 || Root Directory Table Sector || Multiply with 0x800 for offset |- |0x18 || u32 || Root Directory Table Size || Size in bytes. Always multiple of 0x800 |- |0x1C || u64 || || Timestamp (LDAP/Win32 FILETIME) |- |0x7EC || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |} * '''Sector #33:''' The first 24 Bits is the magic. It is always "XBOX_DVD_LAYOUT_TOOL_SIG". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. Edit: This assumption is not true, at least not for all instances. For example, all region variants of Conker Live & Reloaded share the same padding stream. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] b7a40d00950f5e3b238a8e06ff73532744a6c2d2 7031 7030 2022-03-06T15:47:40Z Qubits 2540 /* Volume descriptor */ wikitext text/x-wiki XDVDFS (Also known as XISO) is the image format used for [[Xbox Game Disc|Xbox Game Discs]]. It is stored in the data area. == Format == Each sector is 2048 bytes. === Filesystem === {{FIXME|reason=More info}} === Volume descriptor === The Volume descriptor islocated at Sector #32 and #33 of the game partition. * '''Sector #32:''' {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0x0 || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |- |0x14 || u32 || Root Directory Table Sector || Multiply with 0x800 for offset |- |0x18 || u32 || Root Directory Table Size || Size in bytes. Always multiple of 0x800 |- |0x1C || u64 || || Timestamp (LDAP/Win32 FILETIME) |- |0x7EC || ascii_char[20] || MAGIC|| MICROSOFT*XBOX*MEDIA |} * '''Sector #33:''' The first 24 Bits is the magic. It is always "XBOX_DVD_LAYOUT_TOOL_SIG". {{FIXME|reason=Describe version information}} ==== Examples ==== <!-- The "Wave n" is not a standard naming and I just made it up myself; we should confirm these and possibly find a better name - JayFoxRox --> {{FIXME|reason=The tool names appearing in this section are guessed by me, we should confirm each of these - JayFoxRox}} {{FIXME|reason=This lacks a couple of XDK versions}} {{FIXME|reason=The byte offsets of each version field are missing}} ===== Wave 1 ===== Developers used xblayout to create DVD layout. Then generated the final image using xbpremaster. The final image was submitted to Microsoft. * [[Azurik: Rise of Perathia]] (NTSC) ** xblayout version: 1.0.3926.1 ** xbpremaster version: 1.0.3926.1 * [[Genma Onimusha]] (PAL) ** xblayout version: 1.0.4039.1 ** xbpremaster version: 1.0.4039.2 * [[Max Payne]] (PAL) ** xblayout version: 1.0.4134.1 ** xbpremaster version: 1.0.4242.1 * [[Petit Copter]] (Japanese) ** xblayout version: 1.0.4361.1 ** xbpremaster version: 1.0.4361.2 * [[007 - Agent Under Fire]] (PAL) ** xblayout version: 1.0.4432.1 ** xbpremaster version: 1.0.4432.1 ===== Wave 2 ===== {{FIXME|reason=This is a theory. Confirm please}}. Developers used a new version of xblayout and submitted the layout + content to Microsoft Microsoft generated the final image. Sometime during this wave, the new padding algorithm got introduced. Judging from the examples below, the padding algorithm does not seem to be bound to the xblayout version or to a specific date. * [[Metal Gear Solid 2 - Substance]] (NTSC) ** xblayout version: 1.0.4721.1 (old algorithm) * [[Hitman 2 - Silent Assassin]] (France) (Original) ** xblayout version: 1.0.4721.1 (new algorithm) ** DMI Timestamp: 2002/09/18 * [[Hitman 2 - Silent Assassin]] (France) (Classic Edition) ** xblayout version: 1.0.4721.1 (old algorithm) ** DMI Timestamp: 2002/12/03 * [[Blade II]] (NTSC) ** xblayout version: 1.0.4808.1 (old algorithm) * [[Battle Engine Aquila]] (PAL) ** xblayout version: 1.0.4831.1 (new algorithm) Other Examples of games with 1.0.4721.1 version that don't use the old algorithm: Mat Hoffman's Pro BMX 2 (France), MLB SlugFest 2003 (USA), NCAA Football 2003 (USA), Phantom Crash (USA), Syberia (USA, Europe) ===== Wave 3 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 2 * [[Metal Gear Solid 2 - Substance]] (PAL) ** xblayout version: 1.0.5120.1 * [[Shenmue II]] (PAL) ** xblayout version: 1.0.5120.1 ===== Wave 4 ===== {{FIXME|reason=This is a theory. Confirm please}}. Same as wave 3, but developers now had to use the xbgamedisc tool instead of xblayout. The mastering tool used by microsoft also leaves a version identifier now. * [[Star Wars - Knights of the Old Republic]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Indiana Jones and the Emperor's Tomb]] (PAL) ** xbgamedisc version: 2.1.0.5233.1 ** mastering tool version: 2.1.0.5233.1 * [[Dynasty Warriors 4]] (PAL) ** xbgamedisc version: 2.1.0.5344.1 ** mastering tool version: 2.1.0.5344.1 * [[The Matrix - Path of Neo]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[The Suffering - Ties That Bind]] ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 * [[Reservoir Dogs]] (PAL) ** xbgamedisc version: 2.1.0.5849.1 ** mastering tool version: 2.1.0.5849.1 === Directory Entry === ==== Version 4361 <!-- Game: Petit Copter --> ==== File entry flags: * READONLY = 0x01 * HIDDEN = 0x02 * SYSTEM = 0x04 * DIRECTORY = 0x10 * ARCHIVE = 0x20 * NORMAL = 0x80 === File data blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Incomplete sectors are padded with 0x00 bytes. === Random blocks === ==== Version 3926 - 4808 ==== Seeded and then starting to emit bytes in data area. Filled with the following algorithm: <pre> // State uint32_t a; uint32_t b; uint32_t c; // Helper static uint32_t Value(void) { uint64_t result; result = c; result += 1; result *= b; result %= 0xFFFFFFFB; c = result & 0xFFFFFFFF; return c ^ a; } // buffer must be at even address, length must be multiple of 2 void Fill(uint16_t* buffer, size_t length) { while(length >= 2) { *buffer++ = Value() >> 8; length -= 2; } } void Seed() { const uint32_t b_seeds[8] = { 0x52F690D5, 0x534D7DDE, 0x5B71A70F, 0x66793320, 0x9B7E5ED5, 0xA465265E, 0xA53F1D11, 0xB154430F }; FILETIME ft; GetSystemTimeAsFileTime(&ft); uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime; a = 0; b = b_seeds[seed & 7]; c = seed; a = Value(); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. ==== Version 4831 - 5849 ==== The algorithm was switched to RC4-256-drop-2048. <pre> #include <openssl/rc4.h> RC4_KEY rc4key; void Fill(uint8_t* buffer, size_t length) { // We need a zero buffer as OpenSSL will want to XOR the keystream with data. // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes. uint8_t zero_buffer[length]; memset(zero_buffer, 0x00, length); RC4(&rc4key, length, zero_buffer, buffer); } void Seed() { union { uint8_t raw[16]; struct { struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian uint64_t tsc; // later 8 bytes, little-endian }; } key; // Initialize seed key.tsc = rdtsc(); GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime); RC4_set_key(&rc4key, 16, &key); // Drop the first 2048 bytes of the RC4 keystream uint8_t discard_buffer[2048]; Fill(discard_buffer, 2048); } </pre> The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1. Edit: This assumption is not true, at least not for all instances. For example, all region variants of Conker Live & Reloaded share the same padding stream. === Security blocks === ==== Version 4361 <!-- Game: Petit Copter --> ==== Treated like random block. == Tools == * [https://github.com/OpenXDK/xbiso XBISO] * [https://github.com/mborgerson/extract-xiso extract-xiso] 857e4212490138840c881ec28154d8c1e4d7293f 0 4034 7013 2022-02-24T05:45:34Z Useruser 2541 Created page with "{| class="wikitable" |- ! DEV_ID ! 0526 ! 0816 ! 3146 ! 3223 ! 3424 ! 3521 ! Notes |- | 10de:0150 | X | ✓ | X | X | X | X | 526 will install but crash in some nv_disp.sys f..." wikitext text/x-wiki {| class="wikitable" |- ! DEV_ID ! 0526 ! 0816 ! 3146 ! 3223 ! 3424 ! 3521 ! Notes |- | 10de:0150 | X | ✓ | X | X | X | X | 526 will install but crash in some nv_disp.sys function, 3146+ check for this dev_id and will not allow you to continue |- | 10de:0200 | X | X | X | X | ✓ | ✓ | 3146 & 3223 will run but not display anything but a blinking cursor, missing something? |- | 10de:0201 | X | X | X | X | ✓ | ✓ | 3146 & 3223 will run but not display anything but a blinking cursor, missing something? |} 534f74d4fb93f12f0183eab25ce9fc5ec119e469 6 4035 7016 2022-02-24T18:56:59Z Useruser 2541 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 3700 7032 6831 2022-03-11T02:31:08Z Doom 2542 /* USB Adapters */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03^Korean] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04^Korean] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] |rowspan=2 | * TS04 Kreon 0.5 (June 23rd 2006) * TS04 Kreon 0.60 (July 30th 2006) * TS04 Kreon 0.80 (September 9th 2006) * TS04{{FIXME|reason=README claims SB00}} Kreon 0.81 (October 4th 2006) * TS05{{FIXME|reason=README claims SB01}} Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00^Korean] |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA |CH01{{FIXME|reason=https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe dead}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * [https://web.archive.org/web/20160904080433/http://www.tsstodd.com:80/TotalLib/popup/Download.asp?path=program&lang=eng&fname=TSDNMAC.ZIP TSDNMAC] for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * [https://web.archive.org/web/20100105230358/http://samsungodd.com/KorLib/File/Tsdnwin.exe TSDNWIN] for Microsoft Windows Vista and 7 * [https://web.archive.org/web/20060328075340/http://www.samsungodd.com/eng/information/Application/Files/sfdndos.exe SFDNDOS] [https://web.archive.org/web/20060328072528/http://www.samsungodd.com/eng/information/Application/Files/Sfdndosm.exe SFDNDOSM] and the newer TSDNDOS ([https://www.dell.com/support/home/de/de/debsdt1/drivers/driversdetails?driverid=r205571 included here]) for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.com/Vantec-CB-ST00U3-NexStar-Optical-Storage/dp/B07452Z3KH Vantec CB-ST00U3 NexStar USB 3.0 to SATA 6Gbps Optical/Storage Adapter] <code>152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp</code> | TS-H353B/DEWH <code>H/W:A Ver.B APRIL 2007</code> | Windows 11. No extra drivers required. Drive flashed. Works with MFP 2.3. |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. '''These adapters did NOT work with two separate TS-H353B drives on Windows (No media detected, extremely slow to respond).''' |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 7e3fd65744b08a7b1efed42c64e50c4c207ddfdd 0 3707 7037 6870 2022-03-22T04:55:02Z Monocasa 2506 Fill in config area partition path wikitext text/x-wiki The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information. == Partitions == The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. {{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}} {| class="wikitable" |- ! Drive Letter{{FIXME|reason=This is under control of running application / variation even in official products?}} ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | N/A | [[Config Sector|Config Area]] | 0x00000000 | 0x00080000 | Fixed Structure | \Device\Harddisk0\Partition0 |- | X | Game Cache | 0x00080000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition3 |- | Y | Game Cache | 0x2ee80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition4 |- | Z | Game Cache | 0x5dc80000 | 0x2ee00000 | FATX | \Device\Harddisk0\Partition5 |- | C | System | 0x8ca80000 | 0x1f400000 | FATX | \Device\Harddisk0\Partition2 |- | E | Data | 0xabe80000 | 0x131f00000 | FATX | \Device\Harddisk0\Partition1 |} ::::::::::::::::::::::''side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"'' ::::::::::::::::::::::''and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"''{{FIXME|reason=Mark as unofficial / homebrew}} :::::::::::::::::::::::::&nbsp;&nbsp;&nbsp;''added Drive "G:" <=> "\Device\Harddisk0\Partition7"''{{FIXME|reason=Mark as unofficial / homebrew}} '''Debug/Devkit HDD:''' {| class="wikitable" |- ! Drive Letter ! Description ! Offset (bytes) ! Size (bytes) ! Filesystem ! Device Object (MS Retail Kernel) |- | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] | [FIXME] |- |} '''FIXME:''' * Add info on how extended partitions are added. == Locking Mechanism and Basics == The hard drives in the Xbox are standard IDE drives locked with a key (referred to as the HDKey). The drive is unlocked by the Kernel at boot. The XBox uses a User Password with the Maximum security mode (see below). The password is generated in two distinct phases: * Extract the HDKey from the [[EEPROM]] which is unique to each Xbox making this phase dependent only on the [[EEPROM]]. * Generate a drive specific password (keyed to the model and serial number of the drive) with the extracted HDKey from the [[EEPROM]]. The security feature of the hard drive can be enabled and disabled by sending special ATA commands to the drive. If a device is locked, it will refuse all access until it is unlocked. === Locking Mechanism === The ATA/ATAPI Command Set - 2 (ACS-2) specification <ref>[http://www.t13.org/documents/UploadedDocuments/docs2011/d2015r7-ATAATAPI_Command_Set_-_2_ACS-2.pdf Draft: ATA/ATAPI Command Set - 2 (ACS-2) - T13/2015-D - Revision 7, June 22, 2011] (t13.org); Note: T13 drafts are freely available, only the final standards are behind a paywall.</ref> defines an optional ''SECURITY'' feature subset (chapter 7.43 - 7.48) which allows to limit access to the drive's data behind a hardware implemented locking mechanism: * SECURITY DISABLE PASSWORD (Chapter 7.43) * SECURITY ERASE PREPARE (Chapter 7.44) * SECURITY ERASE UNIT (Chapter 7.45) * SECURITY FREEZE LOCK (Chapter 7.46) * SECURITY SET PASSWORD (Chapter 7.47) * SECURITY UNLOCK (Chapter 7.48) ==== The Password ==== A device can have two passwords; either or both may be set with a maximum of 32 byte each. A device can be locked in two modes: High security mode or Maximum security mode. If the User password is not available, the only remaining way to get at least the bare hardware back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. In Maximum security mode, the SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk. ===== User Password ===== If a ''User Password'' is set (SECURITY SET PASSWORD), the drive blocks the access on a reboot again so you have to re-enter the password (SECURITY UNLOCK). Setting the ''User Password'' will also set the ''Master Password Capability''. ===== Master Password ===== If the ''Master Password Capability'' is set the drive could be locked in one of two modes. Bit 8 in word 128 of the IDENTIFY response shows which mode the drive is in: * 0 = High: the ''Master Password'' could be used to unlock (SECURITY UNLOCK) just like the ''User Password'' or to deactivate the ''User Password'' (SECURITY DISABLE PASSWORD). * 1 = Maximum: the ''Master Password'' could only be used to wipe the drive (SECURITY ERASE UNIT). This makes the drive usable again but all data on it is lost. === Drive Data === During the second phase, the serial and model numbers are needed. These values are available in the response data from the DEVICE_IDENTITY ATA command. However, the data needs to be reorganized. It is read in Big Endian words, and needs to be byte swapped first to get the byte ordering correct. Then, starting from the end of the data (serial == 20 bytes, model == 40 bytes) ignore ASCII spaces (byte value of 0x20) at the end of the data. Zeros are *not* trimmed, *only* spaces. Do not be fooled into believing that this data is a string. On some drives this is the case, but on others there are non-ASCII values in the fields. === Basic Security Algorithms === There are three primary cryptography routines/functions needed when generating an XBox drive password: * SHA1: Hashing algorithm. It's primary purpose is to take an input message and create a (relatively) small signature (called a digest) which is unique to the original message. One of the goals of SHA1 is to make it difficult to alter the input message in such a way as to result in the same output digest. * RC4: Symmetric cipher. This means that the algorithm for encryption is the same as that for decryption. The purpose is to make one key work in both directions. * HMAC: Uses a hashing algorithm (in this case SHA1) to generate a cryptographically "strong" signature. ==== Password Algorithm ==== - Key data is shown entering functions from the side - Data is shown entring from above or below in order of presentation from left to right <pre> RC4_key &gt;--(second)--&gt;--, /|\ | | | .-&lt;--|__eeprom_key__|--&gt;-----------&gt; HMAC_SHA1 | | /|\ | | | | | .---&gt;-----------' | | | | | eeprom_data = |__data_hash___|__enc_conf__|__enc_data__| | | | | | | | | \|/ | | | | rc4_decrypt &lt;----|---------&lt;| | | | | | | \|/ | | | | (must be equal) | \|/ | | /|\ | rc4_decrypt &lt;---' | | | | | | \|/ \|/ | | |_confounder_|____data____| | | / / | | | / / | | | / / | | | / / | | | \|/ / \|/ `---&gt;-----------------&gt; HMAC_SHA1 / |__HDKey__|__| /|\ / | \______/ | | .-------------------------&lt;--------' | | model_number serial_number | \ / | \ / `---&gt;-----------------&gt; HMAC_SHA1 | \|/ HD_password </pre> This seems to be the easiest way to show the required calculations. Basically there are several intermediate steps. First, generate the RC4_key from the eeprom_key and the data_hash (first 20 bytes of eeprom_data). Use the RC4_key to decrypt the encrypted confounder (8 bytes 20 bytes into eeprom_data) and the encrypted data (20 bytes 28 bytes into eeprom_data). Now generate an HMAC_SHA1 hash from the eeprom_key and the decrypted confounder and data. Verify that this hash matches the data_hash stored in the eeprom. If they don't match then the eeprom data is not correct. If the hashes match then the first 16 bytes of the decrypted data field is the HDKey. Once you have the HDKey get the model and serial number from the drive. Generate an HMAC_SHA1 hash from the HDKey, model and serial numbers. The resulting 20 bytes are the HD password. The remaining 12 bytes needed for the password are zeros. == Unlocking == Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly. === Unlock via Serial for Seagate drives === Look here: http://www.os2museum.com/wp/seagate-serial-talk/ === Universal Unlock Method(s) === '''TODO''' '''FIXME:''' * Provide more info on locking/unlocking procedure. * Provide details about the key and how it can be derived from the [[EEPROM]] data. == How To: Backup an HDD == There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive. === Method 1: File Copy === This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM. ==== Remote ==== Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''. ==== Direct ==== Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files. === Method 2: Exact Copy === This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here. Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]). == Further Reading == * [https://web.archive.org/web/20150502210033/http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details] * [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] a933f782b242a1faff203f4b83ec28139fc5facc 0 3706 7038 6968 2022-05-14T16:12:23Z Edness 2544 manually derived beta keys used by Re-Volt and Lamborghini for xbox live beta testing (see ObscureGamers server for context) wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. Standard windows format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from. |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == LibraryVersion Table == {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |- ! 0x0008 ! 0x0002 | Major Version | Major version for this library (2-byte WORD). |- ! 0x000A ! 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |- ! 0x000C ! 0x0002 | Build Version | Build version for this library (2-byte WORD). |- ! 0x000E ! 0x0002 | Library Flags | Various flags for this library. The fields are: QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 1ae3c4f5207d8b8964719a9d5fb6afd5c4159cf0 0 3701 7040 6843 2022-06-22T12:51:16Z XENON 2545 Just added some clarity and fixed a typo wikitext text/x-wiki Xbox 360 Backward Compatibility, also known as '''FU''' or '''Fusion''' is Microsoft's original Xbox emulator for the Xbox 360. The emulator binary is called xefu.xex. The first resource is xb1krnl which is a modified version of [[Kernel|xboxkrnl.exe]]. === Modifications to xboxkrnl.exe === The IDEXPRDT section has been dropped, additionally the extra data from the MS-DOS header is gone. ==== Guest to host communication ==== The entrypoint of the kernel looks like: <pre> 80030878: 56 push %esi 80030879: 57 push %edi 8003087a: 8d 05 4c ac 02 80 lea 0x8002ac4c,%eax 80030880: 0f 3f (bad) 80030882: 04 20 80030884: 8d 05 6c ac 02 80 lea 0x8002ac6c,%eax 8003088a: 0f 3f (bad) 8003088c: 04 20 8003088e: 8d 05 8c ac 02 80 lea 0x8002ac8c,%eax 80030894: 0f 3f (bad) 80030896: 04 21 80030898: 8d 05 70 94 01 80 lea 0x80019470,%eax ... </pre> According to [https://web.archive.org/web/20070216172548/https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf this document by symantec] (Page 5, Left-hand-side) the patterns <code>0F 3F x1 x2</code> and <code>0F C7 C8 y1 y2</code> are used for communication with the host. {| class="wikitable" ! x1 !! x2 !! Notes |- | 0x04 || 0x20 || Seems to use eax (address) as parameter? eax points to a zero terminated list of pointers into the kernel memory [7 elements] |- | 0x04 || 0x21 || Seems to use eax (address) as parameter? " [4 elements] |- | 0x04 || 0x22 || Seems to use eax (address) as parameter? Seems to be some call to that address?! |- | 0x04 || 0x23 || Seems to use eax (address) as parameter? |- | 0x04 || 0x24 || Seems to use eax (address) as parameter? |- | 0x04 || 0x35 || Seems to use eax (address) as parameter? |- | 0x04 || 0x50 || Seems to use eax (address) as parameter? " [3 elements] |- | colspan="3" | Cleaner list starts here {{FIXME}} |- | 0x04 || 0x20 || |- | 0x04 || 0x20 || |- | 0x04 || 0x21 || |- | 0x04 || 0x22 || |- | 0x04 || 0x23 || |- | 0x04 || 0x24 || |- | 0x04 || 0x35 || |- | 0x04 || 0x50 || |- | 0x06 || 0x00 || Seems to use eax (address) and ecx (size) as parameter? Memory is 0x00 filled before. location is 0x8002b420, size would be 0x3000 |- | 0x06 || 0x02 || |- | 0x06 || 0x20 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x21 || |- | 0x06 || 0x22 || |- | 0x06 || 0x23 || Some call or callback registration to the address pointed to by eax |- | 0x06 || 0x24 || |- | 0x06 || 0x25 || |- | 0x06 || 0x26 || |- | 0x06 || 0x27 || |- | 0x06 || 0x28 || |- | 0x06 || 0x29 || |- | 0x06 || 0x40 || |} == References and links == * [http://support.xbox.com/en-US/legacy-devices/original-console/play-original-games Official compatibility list by Microsoft] * [http://michaelbrundage.com/project/xbox-360-emulator/ Michael Brundages (Microsoft) page about the original Xbox emulator in the Xbox 360] ** [http://michaelbrundage.com/note/2005/05/15/xbox-360-emulator/ More information about the original Xbox emulator in the Xbox 360] * [https://randomascii.wordpress.com/2019/03/20/exercises-in-emulation-xbox-360s-fma-instruction/ Blog post about FMA math emulation by Bruce Dawson (Microsoft)] * [https://www.youtube.com/watch?v=Da_ont-2AG0 Modern Vintage Gamer: Revisiting Original Xbox Backward Compatibility on the Xbox 360] 00da079978f25630ab09fe9bc1ed8d6e8e3b1c77 2 4036 7042 2022-06-29T22:46:08Z VannevarKush 2546 Creating user page wikitext text/x-wiki Hello World Working on Xbox linux, particularly modern FATX support 31c7ac53061cbd6a6711265770b456089b170144 0 1 7043 6935 2022-06-29T23:20:31Z VannevarKush 2546 Added Linux and ReactOS under "Operating Systems" header wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[Xemu|xemu]] ** [[Cxbx-Reloaded]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Operating Systems == * [[Linux]] * [[ReactOS]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] d295c82dad71a2d79eb0c9b4d915305944110f2c 0 4037 7044 2022-06-29T23:49:53Z VannevarKush 2546 Creating page, created a basic intro and links section wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application of the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. But, it would also be possible to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. ==Links== Many of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://cs.oberlin.edu/~ctaylor/classes/341F2012/xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] A security review of the Xbox made by Michael Steil, a member of the Xbox Linux team 68232895eef2725858b24438a009f0cb1c16b412 7045 7044 2022-06-29T23:59:11Z VannevarKush 2546 Added the xboxhdm repo to historical links wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. But, it would also be possible to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. ==Links== Many of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. * [https://cs.oberlin.edu/~ctaylor/classes/341F2012/xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System] A security review of the Xbox made by Michael Steil, a member of the Xbox Linux team 5ab815717e52cdbc7bf76fc79f2e7b9780354764 7046 7045 2022-06-30T00:01:02Z VannevarKush 2546 Moving 17 mistakes to See Also since it's an article on here wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. But, it would also be possible to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. ==Links== Many of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System]] by Michael Steil, a member of the Xbox Linux team b60e1c29d44093753ea675c1858b5893c5d874b9 7047 7046 2022-06-30T00:01:55Z VannevarKush 2546 Correcting formatting wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. But, it would also be possible to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. ==Links== Many of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team 8d833f3a8f6840fd018dd699fa1c5243d5cc957c 7048 7047 2022-06-30T00:11:18Z VannevarKush 2546 Added link to Xbox Linux Issues wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. To see the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== Many of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team 54f384c098f323bc4b3f2fa273e4bdfdcc10a8d1 7049 7048 2022-06-30T00:11:52Z VannevarKush 2546 grammar wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. To see the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team 95fd43f13cd523dc3a7ef0abebe43e1fe4c115d7 7050 7049 2022-06-30T00:13:50Z VannevarKush 2546 phrasing wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team d4b6e841f47419d2b36c6c39d5ad7f44b6229123 0 4038 7051 2022-06-30T01:20:30Z VannevarKush 2546 Creating page, adding FATX/MBR issue wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==XBPartitioner Table and MBR incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and load linuxboot.cfg, the kernel, and the initrd. As Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since an actual boot record isn't needed, the first 440 bytes are filled with zeroes when using fdisk. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. The XBPartitioner table provides 14 partition "slots" for FATX partitions. The partition table is written into unused space in the FATX config area. XBPartitioner wipes the entire config area when writing a partition table including any MBR contents, other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR. This struct shows the layout of the partition table: From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools that support this. Xbox-based, Linux-based, and PC-based Xbox partition management tools would have to be updated to support this, and the BIOS patches would probably have to be updated. '''Pros''' * Cromwell would not need to be modified * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap for full kernel support '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution, but fatxfs performance still needs to be evaluated on Xbox. d94f9a014d62950cf55b2df41fdb05ef9625922b 7052 7051 2022-06-30T01:29:54Z VannevarKush 2546 Some cleanup wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==XBPartitioner Table and MBR incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. The XBPartitioner table provides 14 partition "slots" for FATX partitions. The partition table is written into unused space in the FATX config area. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution, but fatxfs performance still needs to be evaluated on Xbox. * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. 3e853f20d30a83f7d44490d7d22f616120d7de56 7053 7052 2022-06-30T01:48:07Z VannevarKush 2546 Added Lack of FATX Kernel Support and Advanced Video Support wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==XBPartitioner Table and MBR incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. The XBPartitioner table provides 14 partition "slots" for FATX partitions. The partition table is written into unused space in the FATX config area. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution, but fatxfs performance still needs to be evaluated on Xbox. * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ced1ced79a3204b749253aa1a6f426e66f52b5fe 7054 7053 2022-06-30T20:22:43Z VannevarKush 2546 /* XBPartitioner Table and MBR incompatibility */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==XBPartitioner Table and MBR incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. The XBPartitioner table provides 14 partition "slots" for FATX partitions. The partition table is written into unused space in the FATX config area. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 2a63b7ba9bea43b8e5bfebbd5594b776ac70e552 7055 7054 2022-06-30T20:26:36Z VannevarKush 2546 /* A 12 partition XBPartitioner Table */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==XBPartitioner Table and MBR incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. The XBPartitioner table provides 14 partition "slots" for FATX partitions. The partition table is written into unused space in the FATX config area. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 96ee4bda2eb2acb7b9b51153696de377b4d0b244 7056 7055 2022-06-30T20:55:41Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==XBPartitioner Table and MBR incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? e5eb63e632038961a0cb7d9881fe06716d240227 7064 7056 2022-06-30T21:52:40Z VannevarKush 2546 Adding info about cromwell boot partition issues wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg, the kernel, and the initrd. A boot partition formatted with ext2 using an old version of X-DSL worked fine for a native install. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon for the user to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Note that Cromwell is able to use an ext2/ext3 partition as a combined boot and root partition; a reserved boot partition is not strictly needed here, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of boot partitions does Cromwell support? How can these be reliably formatted with a terminal command? Since a boot partition is only needed for Cromwell to load the kernel and initrd, and depending on the complexity of any fix to Cromwell, it would be acceptable for a more archaic filesystem configuration to be used for the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice. Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 392dd1efbce40c47f57c23275883c0e9c32a0bfc 7065 7064 2022-06-30T21:56:25Z VannevarKush 2546 /* Native Boot Partition Filesystem Compatibility with Cromwell */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install of X-DSL, a boot partition formatted with ext2 worked fine as formatted by X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there; a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can these partitions be reliably formatted using a terminal command? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice. Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 2e27234f83285ef888ac82d8a422dc8439556c4f 7066 7065 2022-06-30T22:05:29Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install of X-DSL, a boot partition formatted with ext2 worked fine as formatted by X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there; a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can these partitions be reliably formatted using a terminal command? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice. Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? e3941420a55bb946c0267d446fb775a5b1a37899 7067 7066 2022-06-30T22:07:05Z VannevarKush 2546 /* Native Boot Partition Filesystem Compatibility with Cromwell */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there; a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can these partitions be reliably formatted using a terminal command? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice. Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 2b1fe567eaee56fadd4e4768c2867d65bf2f4f2e 7068 7067 2022-06-30T22:34:18Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there; a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can these partitions be reliably formatted using a terminal command? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? fb151b576c7fbc9cef7ccc6ec1398b7576ff53df 7072 7068 2022-07-01T22:04:42Z VannevarKush 2546 /* Native Boot Partition Filesystem Compatibility with Cromwell */ Adding info about successful format in Windows wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? bc8ef8b9caf1685b59e101902b0dea72bd837536 7073 7072 2022-07-02T20:53:03Z VannevarKush 2546 /* XBPartitioner Table and MBR Incompatibility */ Adding mborgerson's proposal for fatx partition table issue wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions can be temporarily accessed, but once the contiguous files are created and the range of the is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, aside from the mounting process itself. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. Maybe a Linux tool could be built to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? b51b4b77bdb640afc5b09701f24b4477c5ff1f38 7074 7073 2022-07-02T20:55:40Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, but once the contiguous files are created and the range of the is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, aside from the mounting process itself. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. Maybe a Linux tool could be built to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 7a4fcbf3dd44f52aa8a01a29819f98467dd8d693 7075 7074 2022-07-02T20:56:12Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, but once the contiguous files are created and the range of the files is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, aside from the mounting process itself. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. Maybe a Linux tool could be built to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 371cc14f759d23881022e87bae1957fe387f5a1b 7076 7075 2022-07-02T20:56:59Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, aside from the mounting process itself. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. Maybe a Linux tool could be built to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 1fbe99dc71694fccd91fa9cfb3e9a9a170bbf98a 7077 7076 2022-07-02T21:00:55Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, aside from the mounting process itself. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. Maybe a Linux tool could be built to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 12ec14fff117a3003b58a2987cd4afb5948b36a5 7078 7077 2022-07-02T21:02:32Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, aside from the mounting process itself. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. Maybe a Linux tool could be built to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? c1bfe5b46a1c9597fd0bc80e4d0df8dd7e87f80c 7079 7078 2022-07-02T21:04:02Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. Maybe a Linux tool could be built to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 2eedf24ec33dc82670bbe21b625f5268aba06df9 7080 7079 2022-07-02T21:06:18Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 189428f139a3efcb71977783a724111db6f336bf 7081 7080 2022-07-02T21:06:45Z VannevarKush 2546 /* Using Contiguous Files Allocated on FATX as a Filesystem */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 5123e98e9080b067488a689ca2020913b92b5d6a 7082 7081 2022-07-02T21:08:26Z VannevarKush 2546 /* Possible Solutions */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel, and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? f6c404d19c11304615770c0ee8a27144ff4bcce9 7083 7082 2022-07-02T21:09:19Z VannevarKush 2546 /* Native Boot Partition Filesystem Compatibility with Cromwell */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? 4e782583b1d4b50c8a5f9eea12d805c82ed5519a 0 4037 7057 7050 2022-06-30T21:11:19Z VannevarKush 2546 /* Links */ Adding mborgerson's fatx library to links wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team 23b184040ca4bbf57ea8c597c48a04fd43d19493 7058 7057 2022-06-30T21:13:55Z VannevarKush 2546 /* Links */ Adding info about a repo that doesn't have useful content but looks like it does wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team ba321af6cedea574ab99f834d57840ec49f8fe0e 7059 7058 2022-06-30T21:14:34Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team 6c343161c6c8a3c69c90a6838a6134b493338284 7060 7059 2022-06-30T21:15:25Z VannevarKush 2546 /* Links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team a31484bd0ef75e9537b40fecc7e3c460eb2b5ea0 7061 7060 2022-06-30T21:22:34Z VannevarKush 2546 /* Links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team c7d28a7c6579150881ef93d224468b5119ad61f8 7062 7061 2022-06-30T21:24:21Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The downloads section contains various Xoox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team f9cada9d6ba55ebd68d3335faf0fe7770259b025 7063 7062 2022-06-30T21:24:46Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team 200ba8d4bc463e15423dcd9f8fb392a8adfeaed2 7069 7063 2022-06-30T23:36:46Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [[https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch]] Some inspiration b91d01d22eb1a7df98fa2b26b3ca47d6ecb8c88f 7070 7069 2022-06-30T23:37:00Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration 449057beff42ebcea30157f8ce27f827f07d84d6 7071 7070 2022-07-01T00:18:18Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis d4a335b9fe4bf5c2d757fa244f15175e99712c46 7085 7071 2022-07-02T21:28:09Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 74e30d9479e484e527eeca1b34a60604786387e0 7086 7085 2022-07-02T22:07:39Z VannevarKush 2546 More info on historical Xbox Linux wikitext text/x-wiki ==Historical Xbox Linux== ===Introduction=== When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and well-developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, which is a PC-based CD bootable set of Linux tools ==Current Xbox Linux== Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 94317169f30aac59a48c4ff95f8700c72d40ac32 7087 7086 2022-07-02T22:08:52Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki ==Historical Xbox Linux== ===Introduction=== When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, which is a PC-based CD bootable set of Linux tools ==Current Xbox Linux== Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 0d59cbf631a7053fe3ecd5ceacd5fcb6a784a71a 7088 7087 2022-07-02T22:09:55Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki ==Historical Xbox Linux== ===Introduction=== When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, which is a PC-based CD bootable set of Linux tools ==Current Xbox Linux== Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time a89e8fdb235eae09da5b5715afb14ff631ad30d6 7089 7088 2022-07-02T22:11:41Z VannevarKush 2546 Reformatting wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, which is a PC-based CD bootable set of Linux tools ==Current Xbox Linux== The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 0922c8f06cf4a7050c5c5611b85a7dc2d651d1ac 7090 7089 2022-07-02T22:12:36Z VannevarKush 2546 More reformatting wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 are woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, which is a PC-based CD bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time e2843934235945b89eafc790603745f8b58bff00 7091 7090 2022-07-02T22:12:51Z VannevarKush 2546 /* Current Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, which is a PC-based CD bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 7e3b75adf5791b6752e436005a79b1eef8fa5446 7092 7091 2022-07-02T22:13:16Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, which is a PC-based CD bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 09132f6e2d82f8fa7895240f8a02266c75c95384 7093 7092 2022-07-02T22:16:58Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''GentooX''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time dca9560b1e86f55b85cfbd9cdd6c044302acc793 0 4039 7084 2022-07-02T21:27:19Z VannevarKush 2546 Redirected page to [[Linux]] wikitext text/x-wiki #REDIRECT [[Linux]] d51bf9cff7954e6e54dbf1d79c250d00103fffdc 0 4040 7094 2022-07-02T22:48:49Z VannevarKush 2546 Adding some basic tips and tricks wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing the Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The Gentoo LiveCD command line environments worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it could be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux). Does Linux have any sort of write levelling support for swap? ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build to that hard drive. ===Using xbox7887's serial board=== (put in necessary kernel config options) be9394acd2668034c35c3f010b5ddefbe18cc2c6 7095 7094 2022-07-02T22:50:20Z VannevarKush 2546 /* 128MB RAM Upgrade */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing the Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it could be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux). Does Linux have any sort of write levelling support for swap? ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build to that hard drive. ===Using xbox7887's serial board=== (put in necessary kernel config options) cfb4b83e0f0ecc1c564f2cac196cc0ade21c9c0d 7096 7095 2022-07-02T22:54:19Z VannevarKush 2546 wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing the Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build to that hard drive. ===Using xbox7887's serial board=== (put in necessary kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 734cfc7863c48b49b118143198dc842d9c7cf42d 7097 7096 2022-07-02T22:55:41Z VannevarKush 2546 /* Using the Extra 2GB on a 10GB FATX Hard Drive */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing the Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install. ===Using xbox7887's serial board=== (put in necessary kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 14281f147b6bdf5c593ab1686bb1c8d00b49b657 7098 7097 2022-07-02T22:56:47Z VannevarKush 2546 /* Using the Extra 2GB on a 10GB FATX Hard Drive */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing the Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. ===Using xbox7887's serial board=== (put in necessary kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 1b0ce87d47c5db3f9b801281dea65ba68ec56002 7099 7098 2022-07-02T23:04:18Z VannevarKush 2546 /* Using the Extra 2GB on a 10GB FATX Hard Drive */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing the Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatted drives. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's serial board=== (put in necessary kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) dea90cc5e512e847b9b87e0e0a1deac25b33a853 7100 7099 2022-07-02T23:05:06Z VannevarKush 2546 /* Using the Extra 2GB on a 10GB FATX Hard Drive */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing the Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's serial board=== (put in necessary kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 0a510b90541bf1995292dd076ac82687e0dd338d 0 4040 7101 7100 2022-07-02T23:06:20Z VannevarKush 2546 wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's serial board=== (put in necessary kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 20db9eafe19532831f0cf48ae58d7b07b03ef8cf 7102 7101 2022-07-02T23:12:03Z VannevarKush 2546 wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's serial board=== (put in necessary kernel config options, compatible Xbox BIOSes) ===Using USB serial devices=== (kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 91f9a51ede22d8ed3d4636d96f82cc978e7d4d2a 7103 7102 2022-07-02T23:46:15Z VannevarKush 2546 /* Using xbox7887's serial board */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created a SuperIO board, which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and were used on computer motherboards to provide PS/2, serial, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing kernel debugging over a serial connection provided by the SuperIO chip via the LPC. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? should probably be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== (kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 71dbde1a34c6c835e108483bd85d05832bc88377 7104 7103 2022-07-02T23:47:49Z VannevarKush 2546 /* Using xbox7887's Serial USB Adapter (on the LPC bus) */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created a SuperIO board, which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? should probably be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== (kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) b82f6c6dbac8cb032d642dd5ac42463b7be071b8 7105 7104 2022-07-02T23:48:28Z VannevarKush 2546 /* Using xbox7887's Serial USB Adapter (on the LPC bus) */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created a SuperIO board, which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== (kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) 2ba0a7311bb758cc7f8df5a80bacd27ecda59b9d 7106 7105 2022-07-02T23:49:38Z VannevarKush 2546 /* Using xbox7887's Serial USB Adapter (on the LPC bus) */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== (kernel config options) ===Unpacking and Repacking an initramfs/initrd=== (todo) e9fc4cc898b467c1038bca3b00cb5618cf3bb7ac 7107 7106 2022-07-03T00:08:48Z VannevarKush 2546 /* Using USB serial devices */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Since SSH can't connect early enough to debug the kernel on startup, a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this, which should probably be translated into actual config options: Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support #is this only for xbox7887's board? 1 port to register at runtime ===Unpacking and Repacking an initramfs/initrd=== (todo) d7d8ff5857962a477ad1252eb6a585b96c05af60 7108 7107 2022-07-03T00:09:17Z VannevarKush 2546 /* Using USB serial devices */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Since SSH can't connect early enough to debug the kernel on startup, a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support #is this only for xbox7887's board? 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) 492c54403fb58c6e287a1cdfd4148be905fc756f 7109 7108 2022-07-03T00:10:20Z VannevarKush 2546 /* Using USB serial devices */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Since SSH can't connect early enough to debug the kernel on startup, a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support #is this only for xbox7887's board? 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) d6c175ee0eeb09746c6d4d13a57d38b9f7a99806 7110 7109 2022-07-03T00:11:14Z VannevarKush 2546 /* Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support #is this only for xbox7887's board? 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) 5a09ffaaf5f08de6e22f8d78b5476cf8be9f6433 7111 7110 2022-07-03T00:12:00Z VannevarKush 2546 /* Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) c5b2b948a1432f6b041a4e0d7db8f055867ce9e3 7112 7111 2022-07-03T00:14:43Z VannevarKush 2546 /* Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) 236145e392b0d991b1136b4757a279032961c1cb 7113 7112 2022-07-03T00:17:11Z VannevarKush 2546 /* Using xbox7887's Serial USB Adapter (on the LPC bus) */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) c36f1d8a5dfde0db5a00d4c50aaa6999af0808e0 7114 7113 2022-07-03T00:19:50Z VannevarKush 2546 /* Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine, if the Xbox hardware itself isn't required during development. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) 73c9d8ab4446dbd4da749bc6ec2cd4d60bc5348d 7115 7114 2022-07-03T00:20:11Z VannevarKush 2546 /* Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) 6de7aa09fb4d6e3043dfbd51df98a2fe90d2b65b 7116 7115 2022-07-03T00:24:02Z VannevarKush 2546 /* Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging */ wikitext text/x-wiki ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) 17234f05228d479ad9deb7736c8257a6fadda05f 7117 7116 2022-07-03T00:30:10Z VannevarKush 2546 wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) ==See Also== [[Xbox Linux Issues]] [[Xbox Linux]] 546af5fe3f89d96ee6c5e1a885a70b9cfcb742bb 7118 7117 2022-07-03T00:30:25Z VannevarKush 2546 /* See Also */ wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] f563ec4d29c7d860b95683830a81ea0f2b269098 0 4038 7119 7083 2022-07-03T00:31:18Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html|MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 8b47a75e73f616a4fee93a90f79ff6665bd79397 0 4037 7120 7093 2022-07-03T00:41:54Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com|GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time dfbe68d6aac54e85b172c279ceef94a428231030 7121 7120 2022-07-03T00:42:59Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. *'''X-DSL''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "New" Xbox Linux wiki], which was migrated to SourceForge from an old one. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 071ead22bdd6235c74b23acf5fb645cc1d3d911a 7122 7121 2022-07-03T00:50:31Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''dynebolic''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page] The "New" Xbox Linux wiki, which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time c80f2fe8064774944d9dfa88c4ff847f185fbc12 7123 7122 2022-07-03T01:25:27Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]] - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic II, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest iso of version 1 (compatible with Xbox, untested) is [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page] The "New" Xbox Linux wiki, which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time ec779b2dd9ddf48107885d6e3477728b8602ff3d 7124 7123 2022-07-03T01:25:57Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic II, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest iso of version 1 (compatible with Xbox, untested) is [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page] The "New" Xbox Linux wiki, which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time e37c10df3cb01788cbb6c9561b6f5b36f78a5c3d 7125 7124 2022-07-03T01:26:37Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest iso of version 1 (compatible with Xbox, untested) is [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page] The "New" Xbox Linux wiki, which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time d2ed06e37170041c4b46ec3eecacd74e1f0bf5f7 7126 7125 2022-07-03T01:28:15Z VannevarKush 2546 /* Links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest iso of version 1 (compatible with Xbox, untested) is [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 34b1970e4a2e2310d55323215455c2d8a48325d9 7127 7126 2022-07-03T01:34:44Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''', '''Ed's Xebian''', '''Fedora''' (images on xbox linux sourceforge) *'''Mandrake''', '''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 8994cf843b3314aab3dad45d4515523ecfa84515 7128 7127 2022-07-03T01:49:56Z VannevarKush 2546 /* Historical Xbox Linux */ Added some archive links wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 3dde57a5ef82658f720fc52bef7dc1c55dcdde3d 7129 7128 2022-07-03T01:59:29Z VannevarKush 2546 /* Historical Xbox Linux */ Added sXb wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[sXb https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php]''' - Slackware for the Original Xbox. Last version is [], availalble here: https://sourceforge.net/projects/sxb/files/ The versioning is a little unclear, but the most recent ISO on sourcefore is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time bcf068ab0b2fd7e94f9aa3e2feaddc6965da9b64 7130 7129 2022-07-03T02:00:16Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourcefore is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time a103407c0636f11a6832786fce42c462b792d9fa 7131 7130 2022-07-03T02:10:32Z VannevarKush 2546 /* Links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourcefore is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20110110030414/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 90ca22bb4b9fa93802e24eee989d94f83511d3af 7132 7131 2022-07-03T02:14:06Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourcefore is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 7903bb8250ef1f6532882057a4f51f1328a995a2 7133 7132 2022-07-03T02:24:18Z VannevarKush 2546 /* Historical Xbox Linux */ added FreeBSD wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourcefore is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''[FreeBSD https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. The patches were officially merged into FreeBSD. An iso can be found here [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] with the offically supported patches. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 8ed762e1dcac81bc7340ea289881cda09a128c0e 7134 7133 2022-07-03T02:24:49Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourcefore is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. The patches were officially merged into FreeBSD. An iso can be found here [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] with the offically supported patches. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 8cb759693e6f5a54c4c1eda2845cd131e9f91c51 7135 7134 2022-07-03T02:26:47Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourcefore is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. An iso can be found here [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 301266a2e5d6799b2b65a56fed97df36d8ac71a6 7136 7135 2022-07-03T02:27:38Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. An iso can be found here [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 02756ba6c602b519b4c98630d66a68636c34c393 7137 7136 2022-07-03T02:31:51Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A setup can be found here [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time dde8b89167ae685aef8d48a2655d014ac8e62d2f 7138 7137 2022-07-03T02:32:17Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 1dc449807f42b84cb34c76cec8e7d54cbeb235f4 7139 7138 2022-07-03T02:42:07Z VannevarKush 2546 /* Historical Xbox Linux */ mandrake linux wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' were spotted on the usual source *'''xboxhdm''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time ad956262cb87bd5f166e79a4496b3e90aad80919 7140 7139 2022-07-03T02:50:05Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, it was released up to 0.3. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. It currently has issues with anything other than "F takes all" schemes. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 4d1bf70e28ac75955a2ee77181415a70da2f5487 7141 7140 2022-07-03T02:50:38Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, it was released up to 0.3. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 9245693372d78b3b653775809da08099f6b0cc2a 7142 7141 2022-07-03T02:51:00Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 9a661fe6bc25afe1da1d0968168d9f493dc88b2f 7143 7142 2022-07-03T02:51:35Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - "xUbuntu" is a specific distribution built on top of Ubuntu GNU/Linux distribution. xUbuntu" is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. "xUbuntu" linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run live off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 81225a2aa47cc45f76f4db4e61b5fcf3d60471c7 7144 7143 2022-07-03T02:53:39Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''xUbuntu''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 3f61ad36d1f7ee1abe8fb38af0eb735e4f4477e0 7145 7144 2022-07-03T02:54:58Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 59867d33d6869933be37ea266829e6ec07bcdd9c 7146 7145 2022-07-03T02:55:44Z VannevarKush 2546 /* Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of GentooX Home is 7.1, and the latest release of Pro was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 3c17e1f59e79bca13d3a6c375126a47d3f037830 7147 7146 2022-07-03T02:58:53Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 116e22e296f92ecc52f1cc9e2f42007ee10feb03 7148 7147 2022-07-03T03:16:25Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods: - "Native" install: This may out your hard drive, format it for Linux, and expects you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you) For a native install with a boot partition, this is NOT compatible with the XBPartitioner table, and it will overwite the XBPartitioner table. So "F takes all", allowing coexistence with the stock partitions, is preferred here to a full drive format in most cases. '''If you have a native install, DO NOT USE XBPARTITIONER. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) - "loopback" install: This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is much safer of an install method, if you have space for a small install on E, or if you are using an "F takes all" scheme. Drive F must be below the 137GB boundary, if doing a loopback install to it (or is drive F size constrained here?). Note that larger drives (probably >137GB) are going to run into issues with Xbox Linux. At least, Xbox Linux partitions will have to be located before that boundary, and you'll essentially lose access to the rest of your drive. Also, Xbox Linux can't read files on FATX if the partition is too big. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 55fcd2e6373af4ca786fab72ccca0e0c9d6f0c77 7149 7148 2022-07-03T03:26:06Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods: '''"Native" install''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''loopback install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme. Drive F must end below the 137GB boundary, if doing a loopback install to it. XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 7f4bbb25320997942896dd7e25d7ae111c85b9f9 7150 7149 2022-07-03T03:26:43Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods: '''Native Install''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme. Drive F must end below the 137GB boundary, if doing a loopback install to it. XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 201f5df6d007016af5e4655a44f7ca2dff664c3f 0 4037 7151 7150 2022-07-03T03:28:20Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme. Drive F must end below the 137GB boundary, if doing a loopback install to it. XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 3ecb4d3d14d69451b84a09aa72949292593c1d22 7152 7151 2022-07-03T03:29:25Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time ba32a2f2ada76769824e1c494018c57eb89f0830 7153 7152 2022-07-03T03:42:49Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 305b456a28ee16ef7fe12b0590c631b9690b9f2c 7154 7153 2022-07-03T03:46:48Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 031258814c3ac58970bedf5d362aeab5171d683b 7155 7154 2022-07-03T03:47:49Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time a57b1a192302da6ef79f42a75e97dfdedff28d86 7156 7155 2022-07-03T03:48:21Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use an old hard drive for this) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 31cc3bcb62d7f3bce0fe15caf82f48360d1958f2 7157 7156 2022-07-03T03:50:39Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes in architecture. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 27313525ebdf93bcad29645151b011205b898401 7158 7157 2022-07-03T03:57:32Z VannevarKush 2546 /* Historical Xbox Linux */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Historical Xbox Linux== Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 4836a2fbe1ff3c4e385a1dcbd0fcaae670c6b84f 7159 7158 2022-07-03T04:01:18Z VannevarKush 2546 Removing historical content to put on new page wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Today, Xbox Linux has more of a hobbyist appeal. It would be possible, though, to use it to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. For information about old versions of Xbox Linux, see [[Historical Xbox Linux]]. ==Current Xbox Linux== The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 6f0c97521825d3f15e2406a627ae47c017ab0a97 7164 7159 2022-07-03T04:12:24Z VannevarKush 2546 wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see [[Historical Xbox Linux]]. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 2708006cb3f3055b387f47b1df490be5c371968d 7165 7164 2022-07-03T04:12:39Z VannevarKush 2546 wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see [[Historical Xbox Linux]]. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see [[Xbox Linux Issues]]. For some guides and information that might help you get Xbox Linux up and running, see [[Xbox Linux Tips and Tricks]]. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time fd72f256dffd565ec1022d87b701700ba5298ee3 7166 7165 2022-07-03T04:13:27Z VannevarKush 2546 wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see '''[[Historical Xbox Linux]]'''. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see '''[[Xbox Linux Issues]]'''. For some guides and information that might help you get Xbox Linux up and running, see '''[[Xbox Linux Tips and Tricks]]'''. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, a member of the Xbox Linux team * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time 7905649f353f24ad76f176257655b99f16ff7504 7179 7166 2022-07-04T02:39:55Z VannevarKush 2546 wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see '''[[Historical Xbox Linux]]'''. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see '''[[Xbox Linux Issues]]'''. For some guides and information that might help you get Xbox Linux up and running, see '''[[Xbox Linux Tips and Tricks]]'''. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, the founder of the Xbox Linux team * [https://www.ridemybike.org/command1.pdf In the beginning... Was the Command Line] by Neal Stephenson * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time d2fe4de7a6de1d981775be9569e5e61a84df1b6a 0 4041 7160 2022-07-03T04:01:39Z VannevarKush 2546 Moving historical content to new page, to keep new and old info separate wikitext text/x-wiki Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ===Historical Distros=== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ===Installing Old Distros=== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ===Historical links=== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] c4323de7eab98a33bb6e47df8123f6717211b7ca 7161 7160 2022-07-03T04:02:34Z VannevarKush 2546 Formatting wikitext text/x-wiki Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 94cda4f944cbc57b428faca7cfea19523a0a42eb 7163 7161 2022-07-03T04:04:44Z VannevarKush 2546 Moving history data here wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] fd31334e2fc4b08dbec904c1eebf2ddc9ca56de2 7171 7163 2022-07-03T09:00:02Z VannevarKush 2546 Some important info wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 97e4fbf6b48bd61629e4c620862c4cb6907145a2 7172 7171 2022-07-03T09:00:28Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks to mod the Xbox *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] f9e0b5939d11f4c418176a0d5decfe67a5e3e610 7173 7172 2022-07-03T09:02:29Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox was support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 83e83ed0179c0ed5d4fef67a6b4af039d7309730 7174 7173 2022-07-03T09:05:13Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 5cd12663fcf128d684a0357aade88980f7332f77 7175 7174 2022-07-03T09:05:57Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". xUbuntu is based on Ubuntu 5.10 (Breezy Badgar) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 5360f8014e8c13a7353289cef292fc03ac613016 7176 7175 2022-07-03T09:06:26Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 6a534f22c8de853ca20dd6608e7d199fc1521aaf 7180 7176 2022-07-04T05:40:23Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 624b2a2aeb2c096284db0715adf7ad4fe371d500 7181 7180 2022-07-04T21:38:57Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] b4558d4b263ac25d55ceeaeb96a32ffb294fda98 7182 7181 2022-07-04T21:39:39Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 0d04729e3dda35a8406b16ab34a4e81212ca5fed 7183 7182 2022-07-04T22:14:15Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 6453ccdb2ab272dbd05bf8e6ef76e59b9753428c 7184 7183 2022-07-04T22:25:12Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 4a8358ebbefbc3cc8b3f4bf6bfd72d3ab5037594 7185 7184 2022-07-04T22:34:49Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Oddly enough, a recent Xromwell worked for these while GentooX loader did not. The pro version attempts to boot from the CD, so be sure set your BIOS not to boot from CD if it doesn't work this way. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 1462ed1dc781db19937d9d776963e8d0ea7f28fb 7186 7185 2022-07-04T22:35:55Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Oddly enough, a recent Xromwell worked for these while GentooX loader did not. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] f248e769c7a5d1a418a1ab29d57191ba4be0fec3 7187 7186 2022-07-04T22:39:30Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005) *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here] *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 8afcf93f6b578c15e7cf3716151b21de9e7a597f 7197 7187 2022-07-05T00:45:48Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. Requires composite cables. Works from DVD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cables. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. Was not detected as bootable by Xromwell. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 9b6b0244caa79fc44c5f7237272876a5d81d9505 7198 7197 2022-07-05T00:51:22Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. Requires composite cables. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cables. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. Was not detected as bootable by Xromwell. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 8c8d87d65c1b6ac2fe7d649e8e7c58cdfb27ea65 7199 7198 2022-07-05T00:54:19Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. Requires composite cables. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cables. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. Was not detected as bootable by Xromwell. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 1470ca9157ae834c25f2d032216ef9c656466764 7200 7199 2022-07-05T01:11:08Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. Although it requires a composite cable, this is distro has a lot of toys and is fun to check out. Also, it works from DVD! *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. Requires composite cables. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cables. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. Was not detected as bootable by Xromwell. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 42bb0142738e00fae59b0bc1449ec72967b7c85c 0 4038 7162 7119 2022-07-03T04:02:44Z KaosEngineer 2482 link to MBR layout information was not working, extraneous | character removed wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 bytes starting at the beginning of the drive. Only 48 bytes are officially used; the rest are zeroes. On a stock-formatted Xbox hard drive, the contents of this config area don't seem to matter much to ind-BIOS (tested), although Insignia may use it in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 8ac812cd413858379bc5bcbc4131bc84be5870ef 7177 7162 2022-07-03T23:31:15Z VannevarKush 2546 /* XBPartitioner Table and MBR Incompatibility */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] eaf291d09de0015f96023dcf5c59a9399a3fbc67 0 3708 7167 6967 2022-07-03T05:33:33Z VannevarKush 2546 Adding earlier version of Linux fatx doc wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * Most up to date: [https://hackmd.io/DXo0p8VnQLy3XQ7YR1Ny_w?view The FATX filesystem] * Archive of the xbox-linux project from 2010: [https://web.archive.org/web/20100617022009/http://www.xbox-linux.org/wiki/Differences_between_Xbox_FATX_and_MS-DOS_FAT Differences between Xbox FATX and MS-DOS FAT] * An older version of that document including info about unknown (XBLA?) sectors [http://web.archive.org/web/20040616143741/http://www.xbox-linux.org/docs/hdpartfs.html] * Private writings from 2002: [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] 4ab9a79ec1d38c1a66333e5073afbd532c4d871b 7168 7167 2022-07-03T05:34:12Z VannevarKush 2546 wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * Most up to date: [https://hackmd.io/DXo0p8VnQLy3XQ7YR1Ny_w?view The FATX filesystem] * Archive of the xbox-linux project from 2010: [https://web.archive.org/web/20100617022009/http://www.xbox-linux.org/wiki/Differences_between_Xbox_FATX_and_MS-DOS_FAT Differences between Xbox FATX and MS-DOS FAT] * An [older version of that document http://web.archive.org/web/20040616143741/http://www.xbox-linux.org/docs/hdpartfs.html] including info about unknown (XBLA?) config sectors * Private writings from 2002: [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] 9e494f663e0c933eaf2cf8df6af441a5127a4e1f 7169 7168 2022-07-03T05:34:40Z VannevarKush 2546 wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * Most up to date: [https://hackmd.io/DXo0p8VnQLy3XQ7YR1Ny_w?view The FATX filesystem] * Archive of the xbox-linux project from 2010: [https://web.archive.org/web/20100617022009/http://www.xbox-linux.org/wiki/Differences_between_Xbox_FATX_and_MS-DOS_FAT Differences between Xbox FATX and MS-DOS FAT] * An [http://web.archive.org/web/20040616143741/http://www.xbox-linux.org/docs/hdpartfs.html older version of that document] including info about unknown (XBLA?) config sectors * Private writings from 2002: [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] b859a891e4b429fccd5bfae436014b8e75e5fb38 7170 7169 2022-07-03T05:38:18Z VannevarKush 2546 wikitext text/x-wiki The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox. The [[Config Sector]] contains the filesystem magic number, some basic filesystem metadata, and Xbox Live account information. == Implementations == {| class="wikitable |- ! Name ! Platform ! Read/Write ! Description |- | Official | Xbox | Read/Write | Official FATX implementation by Microsoft |- | [https://github.com/mborgerson/fatx fatxfs] | GNU/Linux, macOS | Read-Only | [https://en.wikipedia.org/wiki/Filesystem_in_Userspace FUSE]-based implementation |} == Further Reading == * Most up to date: [https://hackmd.io/DXo0p8VnQLy3XQ7YR1Ny_w?view The FATX filesystem] * Archive of the xbox-linux project from 2010: [https://web.archive.org/web/20100617022009/http://www.xbox-linux.org/wiki/Differences_between_Xbox_FATX_and_MS-DOS_FAT Differences between Xbox FATX and MS-DOS FAT] * An [http://web.archive.org/web/20040616143741/http://www.xbox-linux.org/docs/hdpartfs.html older version of that document] including info about unknown (XBLA?) config sectors * Private writings from 2002: [https://web.archive.org/web/20020617181617/http://www.tardis.ed.ac.uk:80/~lucien/computing/projects/xbox/XBOX-disk-layout.htm XBOX DISK LAYOUT v0.13] e867dd7580517335cfd99b9e450dfe7778ec1ff6 0 4040 7178 7118 2022-07-03T23:34:08Z VannevarKush 2546 wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] c945e45a35db8f1e7e4513ba484bfdbf60956878 7195 7178 2022-07-05T00:03:55Z VannevarKush 2546 wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. If instead of a DVD drive, a hard drive is connected hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] 1fc7a48131c535e34bf8ac2ac5c020921f503ae5 7196 7195 2022-07-05T00:04:36Z VannevarKush 2546 /* hdb as Swap */ wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. Instead of a DVD drive, if a hard drive is connected on hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== (todo) ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] 4d9648fd6c3974ec5dc4efc85c758ce268511a96 6 4042 7188 2022-07-04T23:36:27Z VannevarKush 2546 Shows compatibility of different types CD/DVD media with the stock Xbox DVD drives. wikitext text/x-wiki Shows compatibility of different types CD/DVD media with the stock Xbox DVD drives. 8404fe5d419c198439bd6967fdc98e9ce9717d66 0 3704 7189 6110 2022-07-04T23:37:26Z VannevarKush 2546 Added DVD media compatibility chart wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. For a list of drives Microsoft used in the Xbox, see [[Hardware Revisions]]. [[File:Xbox DVD Media Compatibility Chart.png]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ c098dc6e092e97f3b1a3e99129b5e7f1ae1a1de8 7190 7189 2022-07-04T23:45:36Z VannevarKush 2546 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. For a list of drives Microsoft used in the Xbox, see [[Hardware Revisions]]. Xbox DVD drives are dying left and right. It is not advisable to require anything to be launched from DVD anymore, although it can be provided as an option for those who have never upgraded their Xbox hard drives (and still have a working DVD drive...) [[File:Xbox DVD Media Compatibility Chart.png]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ fd4fa1f2d579b070f0feff06da1113c43a54343c 7191 7190 2022-07-04T23:46:25Z VannevarKush 2546 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. For a list of drives Microsoft used in the Xbox, see [[Hardware Revisions]]. Xbox DVD drives are dying left and right. It is not advisable to require any new software to be launched from DVD, although this can be provided as an option for those who have never upgraded their Xbox hard drives (and still have a working DVD drive...) [[File:Xbox DVD Media Compatibility Chart.png]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ e757b434263acd6a877cba45a4c94c5ea2c332b0 7192 7191 2022-07-04T23:47:35Z VannevarKush 2546 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. For a list of drives Microsoft used in the Xbox, see [[Hardware Revisions]]. Xbox DVD drives are dying left and right. It is not advisable to require any new software to be launched from optical media, although this can be provided as an option for those who have never upgraded their Xbox hard drives (and still have a working DVD drive...) [[File:Xbox DVD Media Compatibility Chart.png]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ 1f7100af30e8b49bbcb94a3e5a7f56811635fdc5 7193 7192 2022-07-04T23:50:07Z VannevarKush 2546 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. For a list of drives Microsoft used in the Xbox, see [[Hardware Revisions]]. Xbox DVD drives are dying left and right. It is not advisable to require any new software to be launched from optical media, although this can be provided as an option for those who have never upgraded their Xbox hard drives (and still have a working DVD drive...) It is possible to replace an Xbox DVD drive with a PC DVD drive with [https://www.youtube.com/watch?v=lpEYLoA5jrc some modification]. [[File:Xbox DVD Media Compatibility Chart.png]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ e43c70d0d148bb9bc14253eb98359f7367660adc 7194 7193 2022-07-04T23:50:45Z VannevarKush 2546 wikitext text/x-wiki The Xbox contains a DVD Drive which can read [[Xbox Game Disc|Xbox Game Discs]]. For a list of drives Microsoft used in the Xbox, see [[Hardware Revisions]]. Xbox DVD drives are dying left and right. It is not advisable to require any new software to be launched from optical media, although this can be provided as an option for those who have never upgraded their Xbox hard drives (and still have a working DVD drive...) It is possible to replace an Xbox DVD drive with a PC DVD drive with [https://www.youtube.com/watch?v=lpEYLoA5jrc some modification]. (What kind of drives work for this?) [[File:Xbox DVD Media Compatibility Chart.png]] == Extra commands / modifications == === IDENTIFY === {{FIXME|reason=Move data from http://xboxdevwiki.net/Porting_an_Operating_System_to_the_Xbox_HOWTO#DVD_Driver}} === READ DVD STRUCTURE === {{FIXME|reason=Describe how SS is accessed}} === MODE SENSE and MODE SELECT === Page 0x3E is used for security. Accessed through ''MODE SELECT 10'' and ''MODE SENSE 10''. {{FIXME|reason=Describe the format in detail}} {| class="wikitable" !Offset || Field || Type || Notes |- | 0 || Mode page || u8 || |- | 1 || Length || u8 || Excluding this and the field before. Should always be 18 |- | 2 || Partition select || u8 || 0x00 = Video partition <br> 0x01 = Xbox partition <br><br> This will be set to 0x01 by the kernel when the last challenge was verified. This is done by sending the same challenge again, the challenge id / value is not reset. |- | 3 || Unknown || u8 || If this is not 1, the kernel will reject this as an XGD (but still allow normal access?!{{citation needed}}) |- | 4 || Authenticated || u8 || 0x00 = Not authenticated <br> 0x01 = Already authenticated or authentication in progress <br><br> This will be set to 0x01 by the kernel when the first challenge is send. |- | 5 || Booktype (0xF0) and Bookversion (0x0F) || u8 || Booktype 0xD is used for Xbox games. This must match info from the SS. |- | 6 || Unknown || u8 || ? |- | 7 || Challenge id || u8 || |- | 8 || Challenge value || u32 || |- | 12 || Response value || u32 || |- | 16 || Unknown || u8 || Unused? |- | 17 || Unknown || u8 || Unused? |- | 18 || Unknown || u8 || Unused? |- | 19 || Unknown || u8 || Unused? |} == DVD authentication == {{FIXME|reason=part of the [[Kernel]], so maybe document this elsewhere?}} == References and links == * [http://web.archive.org/web/20151026074806/http://home.comcast.net/~admiral_powerslave/dvddrives.html List of original Xbox DVD drives] * https://multimedia.cx/eggs/interfacing-to-an-xbox-optical-drive/ 981d5f52b022f6826a58dc2e4e67855f64940305 0 4041 7201 7200 2022-07-05T01:26:29Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. Although it requires a composite cable, this is distro has a lot of toys and is fun to check out. Also, it works from DVD! *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. Requires composite cables. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cables. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 9a5c4de02252f2a8000a661305a2b9978ac44c75 7202 7201 2022-07-05T01:29:12Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. '''These links to isos need testing; they are just what I found online. Not all isos work and some seem to require composite cables...''' *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. Although it requires a composite cable, this is distro has a lot of toys and is fun to check out. Also, it works from DVD! *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. Worked with component cables. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. Requires composite cables. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cables. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 7af8d8f094367dc90c7676d37682a712dd5f3241 7203 7202 2022-07-05T01:42:21Z VannevarKush 2546 /* Historical Distros */ Initial testing info added wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] cc0301006eca05b6a20f79121199c8bb59a9899c 7210 7203 2022-07-05T20:37:03Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [the announcement https://sourceforge.net/p/xbox-linux/mailman/message/10300266/]. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 88c61db1b96cdf229fcf0562c844df5b0f4162b3 7211 7210 2022-07-05T20:37:33Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] bdfe8cf93ed6544a82ed40fa7c9e708e2a99b945 7212 7211 2022-07-05T20:39:56Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here]. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] b21d65a14e51da5baa566f0e4ca6a98611752e4b 7213 7212 2022-07-05T20:41:25Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] ac4133ce4592f2ad5ec377b01020bbfc409f10ec 7214 7213 2022-07-05T20:46:03Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 5df3a938d7a2e5bf1098edf0657ba16104d56114 7215 7214 2022-07-05T20:55:52Z VannevarKush 2546 Adding timeline info wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first kernel boot on the Xbox was on August 13, 2002, and the first graphical desktop environment was KDE, run on October 7, 2002, and Mandrake Linux for Xbox was released soon thereafter. By December 17, 2002, the Cromwell bootloader was ready to run Xbox Linux, and the Xbox Linux project was in full swing. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] bc6279010a6459e2252ff5ae81c251dcea57eac0 7216 7215 2022-07-05T21:31:25Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadline was extended [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== A number of distributions were released, built around the Xbox Linux-patched kernel. * November 15, 2002 - Microsoft Xbox released * May 23, 2003 - Xbox Linux project founded * July 2, 2002 - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003 * August 13, 2003 - first kernel boot * October 7, 2003 - first graphical desktop environment (KDE) * October 9, 2003 - Mandrake Linux 9.1 released for Xbox * December 17, 2003 - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * December 31, 2003 - Michael Robertson extends the prize deadline for the remaining prize. ==Historical Distros== *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 59280bafad9a6a972fcf81ed52cfa08155d8766b 7219 7216 2022-07-05T23:02:40Z VannevarKush 2546 Added timeline wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadli[https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * November 15, 2002 - Microsoft Xbox released * May 23, 2003 - Xbox Linux project founded * July 2, 2002 - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003 * August 13, 2003 - first kernel boot * October 7, 2003 - first graphical desktop environment (KDE) * October 9, 2003 - Mandrake Linux 9.1 released for Xbox. Users had to replace the TSOP using hardware modification. * December 17, 2003 - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * December 31, 2003 - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * March 29, 2003 - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * July 4, 2003 - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * July 7, 2003 - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * August 11, 2003 - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 7a8d488e502e807d0f8006820784a38bff9ad1e3 7220 7219 2022-07-05T23:03:25Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadli[https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * November 15, 2002 - Microsoft Xbox released * May 23, 2003 - Xbox Linux project founded * July 2, 2002 - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003 * August 13, 2003 - first kernel boot * October 7, 2003 - first graphical desktop environment (KDE) * October 9, 2003 - Mandrake Linux 9.1 released for Xbox. Users had to replace or flash the TSOP. * December 17, 2003 - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * December 31, 2003 - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * March 29, 2003 - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * July 4, 2003 - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * July 7, 2003 - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * August 11, 2003 - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 6670514b30b8bb590a825660c92d3b68022f43b0 7221 7220 2022-07-05T23:15:20Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadli[https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * November 15, 2001 - Microsoft Xbox released * c. [October 2002 https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html] - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * May 23, 2003 - Xbox Linux project founded * July 2, 2002 - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003 * August 13, 2003 - first kernel boot * October 7, 2003 - first graphical desktop environment (KDE) * October 9, 2003 - Mandrake Linux 9.1 released for Xbox. Users had to replace or flash the TSOP. * December 17, 2003 - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * December 31, 2003 - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * March 29, 2003 - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * July 4, 2003 - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * July 7, 2003 - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * August 11, 2003 - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 61ea1a1e75de6d790a578f880ea31407ccaa16a9 7222 7221 2022-07-05T23:20:04Z VannevarKush 2546 Some corrections, adding release dates wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadli[https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * c. [October 13 2002 (how?) https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html] - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * November 15, 2001 - Microsoft Xbox released in United States * February 22, 2002 - Xbox released in Japan * March 14, 2002 - Xbox released in Europe and Australia * May 23, 2002 - Xbox Linux project founded * July 2, 2002 - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003 * August 13, 2002 - First kernel boot * October 7, 2002 - First graphical desktop environment (KDE) * October 9, 2002 - Mandrake Linux 9.1 released for Xbox. Users had to replace or flash the TSOP. * December 17, 2002 - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * December 31, 2002 - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * March 29, 2003 - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * July 4, 2003 - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * July 7, 2003 - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * August 11, 2003 - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 2755652c01dc1897713b405a7dc7c0ae9c00bbf7 7223 7222 2022-07-05T23:20:26Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes] with the vision of getting cheap Linux PCs into the hands of the masses. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. (was this claimed? the prize deadli[https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ here]) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)] - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * November 15, 2001 - Microsoft Xbox released in United States * February 22, 2002 - Xbox released in Japan * March 14, 2002 - Xbox released in Europe and Australia * May 23, 2002 - Xbox Linux project founded * July 2, 2002 - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003 * August 13, 2002 - First kernel boot * October 7, 2002 - First graphical desktop environment (KDE) * October 9, 2002 - Mandrake Linux 9.1 released for Xbox. Users had to replace or flash the TSOP. * December 17, 2002 - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * December 31, 2002 - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * March 29, 2003 - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * July 4, 2003 - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * July 7, 2003 - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * August 11, 2003 - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] bd0a72a0bd263e7a283b7c5842c6de0e86c6c14a 7224 7223 2022-07-05T23:22:26Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes]. (He was also being sued by Microsoft at the time.) One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)] - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * November 15, 2001 - Microsoft Xbox released in United States * February 22, 2002 - Xbox released in Japan * March 14, 2002 - Xbox released in Europe and Australia * May 23, 2002 - Xbox Linux project founded * July 2, 2002 - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003 * August 13, 2002 - First kernel boot * October 7, 2002 - First graphical desktop environment (KDE) * October 9, 2002 - Mandrake Linux 9.1 released for Xbox. Users had to replace or flash the TSOP. * December 17, 2002 - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * December 31, 2002 - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * March 29, 2003 - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * July 4, 2003 - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * July 7, 2003 - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * August 11, 2003 - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] ff9371b6091b078c58fe6e34b1c3b7b80b1fc8f7 7225 7224 2022-07-05T23:24:34Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, later anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes], in order to speed the development of Xbox Linux. (He was also being sued by Microsoft at the time.) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded * '''July 2, 2002''' - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9.1 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003 - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 85c0fa84975c2639157c0cb7346888ea555111ca 7226 7225 2022-07-05T23:24:55Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, later anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes], in order to speed the development of Xbox Linux. (He was also being sued by Microsoft at the time.) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded * '''July 2, 2002''' - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9.1 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] e018d04a2ecfa3041ffff2543e694bafbeca7c23 7227 7226 2022-07-05T23:27:03Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, later anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes], in order to speed the development of Xbox Linux. (He was also being sued by Microsoft at the time.) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded * '''July 2, 2002''' - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts are made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 3944e02458e5bada407ab9a6a912837f62858cb3 7228 7227 2022-07-05T23:29:08Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The Xbox Linux project was founded on May 23, 2002 by Michael Stiehl. Michael Robertson, the CEO of Lindows.com, later anonymously offered [https://www.cnet.com/culture/squeeze-linux-into-xbox-win-200000/ two $100,000 prizes], in order to speed the development of Xbox Linux. (He was also being sued by Microsoft at the time.) The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded * '''July 2, 2002''' - Michael Robertson offers two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. One of the prizes was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 2e34a4563bc34a8dfb418210bf2ccaecb00c98bf 7229 7228 2022-07-05T23:31:58Z VannevarKush 2546 Moved content from intro wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] cd2a158fdbd2e7791f3ea5d923327129bc2add00 7230 7229 2022-07-05T23:32:36Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - Mechassault exploit released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 77fb8d3b6647ece65219321e6d8e4362bc7b9af3 7231 7230 2022-07-05T23:33:01Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html October 13 2002 (how?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] c6391423d8b684a026bf25590212457dbcb22349 7232 7231 2022-07-05T23:34:26Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] c5e9010adf43ed9fc3bec64b9af0d964500ef56f 7233 7232 2022-07-05T23:35:05Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The font exploit is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] e3e977b661079f0f81703e24a0537bf3be61d54f 7234 7233 2022-07-05T23:36:51Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[https://xboxdevwiki.net/Exploits#Font_hacks font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 574e6b57a06f80876ceb0248903753ce197d37de 7235 7234 2022-07-05T23:37:18Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] ccc119a2292241f344666c584acdc49dc6bb46bf 7236 7235 2022-07-05T23:37:42Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the 007 Nightfire hack by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 1a0d2f6187755d901486a1ba5f5d81e125ff9d66 7237 7236 2022-07-05T23:40:28Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|BIOS/bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] d1244e7083f23928c2f10dda6be3362e6ace81c3 7238 7237 2022-07-05T23:42:28Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a [[Cromwell|bootloader]]) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - Cromwell BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 07452893b37b0293321ed58f6781ff05c8185cb8 7239 7238 2022-07-05T23:43:10Z VannevarKush 2546 /* Timeline */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, although they exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] 2d785f852098d8f57c5f0b4a711f2b7124b0b461 7240 7239 2022-07-05T23:45:26Z VannevarKush 2546 /* Installing Old Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] ab51f156da0a70834b5d477fc0a0a66526b694c4 7241 7240 2022-07-05T23:46:07Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. ==See Also== *[[Xbox Linux]] c29f2705a465a0e6ca82871972056b7584556f3a 7242 7241 2022-07-05T23:50:00Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage The "Old" Xbox Linux wiki], which was migrated to xbox-linux.org. Not all articles were migrated. * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "old" xbox-linux website], before migrating content to SourceForge. ==See Also== *[[Xbox Linux]] 584e8b0157a8944af76e2d2428de5bc0d33b5997 7243 7242 2022-07-05T23:59:29Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "old" xbox-linux website], before the website was replaced with the "new wiki". ==See Also== *[[Xbox Linux]] fa539a71cf01003a8245106804c772d0132afba5 7244 7243 2022-07-06T00:00:04Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''live-linux''' A liveCD based Linux, may have been able to install to HDD; it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It appears to mount a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". ==See Also== *[[Xbox Linux]] f75304b840fcddf13ac1d1476381a9869dbc8a3d 0 4040 7204 7196 2022-07-05T03:02:52Z VannevarKush 2546 Added cramfs for initramfs extraction wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. Instead of a DVD drive, if a hard drive is connected on hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== The initramfs files provided with Xbox Linux can come in multiple formats. To check what format it is, type <code>file [initramfs filename]</code> '''cramfs''' If the filetype is "Linux Compressed ROM File System data", the image type is cramfs. To extract: <code>sudo fsck.cramfs --extract=[destination] [initramfs filename]</code> The destination will be created if it doesn't exist. To re-pack as cramfs, use <code>mkcramfs [extracted initramfs directory] [destination filename]</code> '''gzip''' '''Gentoo igz''' ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] f63fc52d0e8c6b3a4bcb3c8c9aa74a76433ba817 7205 7204 2022-07-05T03:11:14Z VannevarKush 2546 cramfs wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. Instead of a DVD drive, if a hard drive is connected on hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== The initramfs files provided with Xbox Linux can come in multiple formats. To check what format it is, type <code>file [initramfs filename]</code> ====cramfs==== If the result of the <code>file</code> command is "Linux Compressed ROM File System data", the format is cramfs. It should be little endian. '''Extracting''' <code>fsck.cramfs --extract=[DESTINATION] [TARGET]</code> The destination will be created if it does not exist. '''Compressing''' <code>mkcramfs [INITRAMFS_CONTENTS_DIRECTORY] [OUTPUT_FILE]</code> ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] 2498c96cc93e31e8381a1b6a07e1231c9fc6ab33 7206 7205 2022-07-05T03:12:05Z VannevarKush 2546 /* cramfs */ wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. Instead of a DVD drive, if a hard drive is connected on hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== The initramfs files provided with Xbox Linux can come in multiple formats. To check what format it is, type <code>file [initramfs filename]</code> ====cramfs==== If the result of the <code>file</code> command is "Linux Compressed ROM File System data", the format is cramfs. It should be little endian. Extracting cramfs: <code>fsck.cramfs --extract=[DESTINATION] [TARGET]</code> The destination will be created if it does not exist. Compressing cramfs: <code>mkcramfs [INITRAMFS_CONTENTS_DIRECTORY] [OUTPUT_FILE]</code> ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] ca56edfe1cf0cb42289d9164bfad549876ea691e 7207 7206 2022-07-05T03:12:20Z VannevarKush 2546 wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. Instead of a DVD drive, if a hard drive is connected on hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== The initramfs files provided with Xbox Linux can come in multiple formats. To check what format it is, type <code>file [initramfs filename]</code> ====cramfs==== If the result of the <code>file</code> command is "Linux Compressed ROM File System data", the format is cramfs. It should be little endian. Extracting cramfs: <code>fsck.cramfs --extract=[DESTINATION] [TARGET]</code> The destination will be created if it does not exist. Compressing cramfs: <code>mkcramfs [INITRAMFS_CONTENTS_DIRECTORY] [OUTPUT_FILE]</code> ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] 7c828b394224fc03ec98d9175f509b049d1f1bbf 7208 7207 2022-07-05T03:12:59Z VannevarKush 2546 /* Unpacking and Repacking an initramfs/initrd */ wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. Instead of a DVD drive, if a hard drive is connected on hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== The initramfs files provided with Xbox Linux can come in multiple formats. To check what format it is, type <code>file [INITRAMFS_FILENAME]</code> ====cramfs==== If the result of the <code>file</code> command is "Linux Compressed ROM File System data", the format is cramfs. It should be little endian. Extracting cramfs: <code>fsck.cramfs --extract=[DESTINATION] [TARGET]</code> The destination will be created if it does not exist. Compressing cramfs: <code>mkcramfs [INITRAMFS_CONTENTS_DIRECTORY] [OUTPUT_FILE]</code> ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] c026ce1ea3f7b9701b95d5434cdda2a3d63e0818 7209 7208 2022-07-05T10:14:29Z VannevarKush 2546 /* Unpacking and Repacking an initramfs/initrd */ wikitext text/x-wiki Here are some various tips that may help you get [[Xbox Linux]] up and running, and beyond. ===128MB RAM Upgrade=== Yep, it helps here too. Any modern Linux distro that isn't built for lightweight hardware is probably going to assume there is a lot more memory available than the Xbox has. The more memory and the more non-lightweight services in use, the more swapping is going to happen. With 64MB of RAM a lot of swapping is going to take place during any memory-intensive operation, slowing Linux to a crawl. So the 128MB of RAM can give Linux some more breathing room. More minimal distros may be able to run fine with a (very) lightweight desktop with 64MB. The vanilla Gentoo LiveCD command line environment worked fine until compiling. But even operations like extracting files take forever and could be done faster with less disk access with more RAM. ===CPU Upgrade=== Although a more advanced/expensive mod, upgrading the CPU will cause Linux to run that much faster. (when it's not bottlenecked on swapping, that is). The 1.4Ghz Tualatin with a 256KB cache will result in >2x performance. Gentoo compilation was tested on a 1.4GHz 128MB Xbox and was much more than 2x faster than on a stock Xbox. ===hdb as Swap=== Swapping to the same drive as data is being read from is far from ideal. Instead of a DVD drive, if a hard drive is connected on hdb, it can be used exclusively (or primarily) for swap. An unlocked stock Xbox hard drive could be used for this (back it up first!) but better performance will be obtained with an SSD. Small SSDs are not very expensive, and if it's just used for swapping, it can be easily replaced if it dies. (and do you really plan to use it for swap all day every day? It would only incur wear on the storage while running Xbox Linux. Does Linux have any sort of write levelling support for swap?) ===USB Stick as Swap=== When booting from a liveCD, if you you don't want to alter data on hda but swap is needed to increase available memory, a USB stick can be mounted as swap. This can be added early in the startup script if needed, in the initrd. This is very slow but can work for bootstrapping things to the point of being able to create swap on a hard drive. ===Hard Drive on hdb as a Bootable CD=== This was tested with a Gentoo minimal install CD. A partition was created on hdb using a PC, and formatted with vfat. The partition was set as the cd root in the boot options in linuxboot.cfg (it didn't need to change if the hard drive was fomratted as a single partition. If it needs to change, e.g. to /dev/hdb1 instead of /dev/hdb, the linuxboot.cfg, kernel, and initrd from the CD can be copied to the appropriate locations your hard drive, modified, and launched from there if you want to modify them without burning a new CD.) This may not work for all live CDs. It didn't work with historical GentooX. If it doesn't work, modification of the startup script is probably required to mount from hdb more generically instead of doing something CD or ISO oriented. The hard drive can be formatted with multiple partitions, one for the CD files, and swap can also be set up there, so as to have swap available without needing to modify hda or use a USB stick. ===Using the Extra 2GB on a 10GB FATX Hard Drive=== Not all stock Xbox hard drives are 8GB, some are 10GB. Look up your model number if you're not sure. If you have a spare 10GB stock hard drive sitting around, back it up. Then small native Linux builds can be installed to the 2GB at the end of the drive (remember to have swap), and that area of the drive can also be used for experimentation. Or, install a (small) historical Xbox Linux build like X-DSL to that hard drive as a native install, which should handle the partitioning automatically. (Note that attempting a native install typically wipes out anything after drive E, and also is not compatible with XBPartitioner formatting. It will wipe out any XBPartitioner information, and a format with XBPartitioner after that will break Linux. It is fine though to wipe out the XBPartitioner information by installing native Linux, if you intend to never use XBPartitioner again on that drive) ===Using xbox7887's Serial USB Adapter (on the LPC bus)=== xbox7887 has created an [https://github.com/XboxDev/serial-usb-adapter open source SuperIO board], which connects to the LPC bus on the Xbox (more commonly known as the debug port; the place where you put a modchip.) SuperIO provides various legacy I/O technologies on a single chip, and was used on computer motherboards to provide PS/2, serial, parallel, floppy, and other interfaces. The LPC bus is a PCI device that can have various peripherals connected to it. SuperIO was used in original Xbox dev kits (the clear ones, not the green ones.) It provided a means of doing Xbox kernel debugging over a serial connection provided by the SuperIO chip via the LPC. This is what these boards are typically used for. Because LPC is a standard PC technology that is supported by Linux, devices on the LPC bus can be accessed from within Linux. Although xbox7887's board only provides access to one serial port, it would be theoretically possible to build out a board that supported parallel ports, floppy drives, etc... (although floppy drive support has been dropped from Linux) An important note is that there may be very few Xbox bioses that support this board, at least if the Xbox BIOS is booted first. (not tested with Cromwell flashed to TSOP/modchip). A bios that is known to work is X2 4981.67_256k. Other BIOSes may work but there was some confusion during the testing, so this part could be wrong. Here are the kernel config options that should needed to support this board on Xbox (not sure what's going on with formatting here.) (should these be merged into the default xbox config options? they might need to be re-tested first) <code> CONFIG_SERIAL_EARLYCON=y CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y # CONFIG_SERIAL_8250_16550A_VARIANTS is not set # CONFIG_SERIAL_8250_FINTEK is not set CONFIG_SERIAL_8250_CONSOLE=y # CONFIG_SERIAL_8250_PCI is not set CONFIG_SERIAL_8250_NR_UARTS=2 CONFIG_SERIAL_8250_RUNTIME_UARTS=2 CONFIG_SERIAL_8250_EXTENDED=y # CONFIG_SERIAL_8250_MANY_PORTS is not set # CONFIG_SERIAL_8250_SHARE_IRQ is not set CONFIG_SERIAL_8250_DETECT_IRQ=y # CONFIG_SERIAL_8250_RSA is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set # CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y</code> Note that this board can be used for debugging the Xbox kernel over serial, if the proper kernel config options are set for that. It can also provide a console over serial, I guess if you wanted to run headless without networking. Also note that serial over USB is a perfectly workable option if you don't have one of these boards on hand :) ===Using USB serial devices=== [Needs kernel config options, which once determined should probably be considered for merging into the xbox defconfig] ===Using Serial (USB or xbox7887's SuperIO board) for Kernel Debugging=== Kernel debugging was accomplished successfully using gdb, over both USB serial and xbox7887's board. Note that it is often better to do kernel debugging by running your kernel a non-Xbox machine or VM, if the Xbox hardware itself isn't required during development. Text output can often be sufficient to diagnose issues without the overhead of a setup like this. Since SSH can't connect early enough to debug the kernel on startup (can it be used at all?), a serial connection can be used as soon as it's available. Both the LPC and USB controllers are PCI devices, so they will become active at PCI init. Here are my notes on doing this in menuconfig, which should probably be translated into actual config options: <code> Device Drivers -> USB Support Enable serial, Kernel Device Drivers -> Character Devices -> Serial Drivers: 8250/16550 Compatible serial support Support 8250_core.* kernel options (DEPRECATED) - default Console on 8250/16550 and compatible serial port 8250/16550 PCI device support 1 port to register at runtime</code> ===Unpacking and Repacking an initramfs/initrd=== The initramfs files provided with Xbox Linux can come in multiple formats. To check what format it is, type <code>file [INITRAMFS_FILENAME]</code> ====cramfs==== If the result of the <code>file</code> command is "Linux Compressed ROM File System data", the format is cramfs. It should be little endian. Extracting cramfs: <code>fsck.cramfs --extract=[DESTINATION] [TARGET]</code> The destination will be created if it does not exist. Compressing cramfs: <code>mkcramfs [INITRAMFS_CONTENTS_DIRECTORY] [OUTPUT_FILE]</code> ====gzip==== If your initramfs has a .gz extension, chances are it's in gzip format. <code>file</code> will report <code>gzip compressed data</code>. Extracting gzip: Your file must have a ".gz" extension to work with gunzip. If it doesn't have one, rename it. <code>gunzip -c [INIT_RAM_FS_FILE]</code> A new file will appear in the folder; the filename without the gz extension. Now use <code>file [EXTRACTED_FILE]</code> to see what the filetype of the extracted file is. If it is an ext2 filesystem, you can mount and edit it. Compressing gzip: <code></code> ==See Also== *[[Xbox Linux Issues]] *[[Xbox Linux]] aee55e93ce36a7e893155f94c13026b519183854 0 4039 7217 7084 2022-07-05T22:31:27Z VannevarKush 2546 Moving page [[Linux]] to [[Xbox Linux]] (so people finding the page on google know what they are reading about) wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see '''[[Historical Xbox Linux]]'''. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see '''[[Xbox Linux Issues]]'''. For some guides and information that might help you get Xbox Linux up and running, see '''[[Xbox Linux Tips and Tricks]]'''. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, the founder of the Xbox Linux team * [https://www.ridemybike.org/command1.pdf In the beginning... Was the Command Line] by Neal Stephenson * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time d2fe4de7a6de1d981775be9569e5e61a84df1b6a 0 4037 7218 7179 2022-07-05T22:32:02Z VannevarKush 2546 Moving page to Xbox Linux, replaced with redirect wikitext text/x-wiki #REDIRECT [[Xbox Linux]] e678c43d3692e66ffbe57e77b5a4c0d10eea923b 0 4038 7245 7177 2022-07-06T00:23:59Z VannevarKush 2546 wikitext text/x-wiki [[Link title]]Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== A minor issue, in that Xromwell works fine as a workaround. However, booting into Cromwell directly can be (very) convenient for development, and for easily boot into Linux from the OpenXenium BIOS menu. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 16a4f13f7a0f36ceb9e000205c5defe81ce7397f 7246 7245 2022-07-06T00:24:56Z VannevarKush 2546 wikitext text/x-wiki [[Link title]]Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell (Cromwell as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot can be (very) convenient for development, and to allow the user to easily boot into Linux from the OpenXenium BIOS menu. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 6656556003524c9108859f2947732907fc788b22 7247 7246 2022-07-06T00:25:08Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell (Cromwell as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot can be (very) convenient for development, and to allow the user to easily boot into Linux from the OpenXenium BIOS menu. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 479ca22df23c9efd8876ef28454b2dd0ea976da5 7248 7247 2022-07-06T00:25:46Z VannevarKush 2546 /* Cromwell incompatibility with OpenXenium */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell (Cromwell as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] aef888382491b4e659b8987b080964bcefff5c04 7249 7248 2022-07-06T00:26:24Z VannevarKush 2546 /* Cromwell incompatibility with OpenXenium */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell ([[Cromwell]] as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] e1ad232b5f18176f2d530e889b945a06499d8092 0 4043 7250 2022-07-06T00:42:25Z VannevarKush 2546 Saving work wikitext text/x-wiki Cromwell is a clean room reverse engineered BIOS for the Microsoft Xbox, as well as a bootloader for Xbox Linux. It is often shipped as the default BIOS for Xbox modchips, since Cromwell is a fully legal custom BIOS for the Xbox, and it also has BIOS flashing ability. It has also been used as a basis for various low level Xbox tools, and custom versions have been released (such as XBlast OS). '''Xromwell''' is the same thing as Cromwell, but it runs as an xbe from the Xbox hard drive. The current active Cromwell source code repo is [available here https://github.com/XboxDev/cromwell] Early versions of Cromwell will not be compatible with Linux versions that use the 2.6 kernel and above. (what versions?) This usually is not an issue. Some versions of Cromwell require The disk cloning and partition management app Chimp uses a modified version of Cromwell to boot. It searches for the kernel and initrd in alternate locations that are specific to Chimp. ==GentooX Loader== GentooX Loader is a ==XBlast OS== XBlast OS was made for use with the Xblast modchip. This modchip provides specific low-level functionalities, like flashing the TSOP while the modchip is plugged in (with an additional wire soldered to the motherboard). If run from an Xbox TSOP, it can ==Media Checking Process== (todo) ==See Also== *[[Historical Xbox Linux]] *[[Xbox Linux]] 73009351c444d1eaf6b9b7e288465ebbf4ab30bf 0 4041 7251 7244 2022-07-06T00:52:15Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[live-linux https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736]''' An early Linux related to the mechinstaller hack(?); also worked from LiveCD,it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". ==See Also== *[[Xbox Linux]] 44b1eb86b5abcce301b37361135c793f6dddb7a1 7252 7251 2022-07-06T00:52:40Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux related to the mechinstaller hack(?); also worked from LiveCD,it was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". ==See Also== *[[Xbox Linux]] d24759186b0dfcf759526c0f2f637e4433c411e9 7253 7252 2022-07-06T00:55:00Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booed from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". ==See Also== *[[Xbox Linux]] e4bddd818e802197e9651747299d7e4c74238b2a 7254 7253 2022-07-06T01:05:40Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booed from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. ==See Also== *[[Xbox Linux]] 214b8eac211c9eedb2aa09b665bad0a3ea3c52f2 7255 7254 2022-07-06T01:06:20Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booed from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The links don't work, though. ==See Also== *[[Xbox Linux]] 6def9a60a164653439b13181628d9bf8ef1a4716 7256 7255 2022-07-06T01:06:50Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booed from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The download links aren't archived, though; mainly useful for seeing filenames. ==See Also== *[[Xbox Linux]] eabe70d1a44ee9624de1d60959ff6bc36143d97d 7257 7256 2022-07-06T01:07:52Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booed from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The download links aren't archived, though; mainly it's useful for seeing the filenames. ==See Also== *[[Xbox Linux]] c4a4839db2fc15396df6eab8b8a83ae5310eea8d 7258 7257 2022-07-06T01:14:11Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booted from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The download links aren't archived, though; mainly it's useful for seeing the filenames. ==See Also== *[[Xbox Linux]] 582e2307f917da2c3a70db8451a4239a0dbe4191 7259 7258 2022-07-06T01:15:15Z VannevarKush 2546 /* Historical Distros */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booted from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. (is this right?) *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The original Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The download links aren't archived, though; mainly it's useful for seeing the filenames. ==See Also== *[[Xbox Linux]] 11678cc96fb3ce28d0279324c25a563c48a853b1 7263 7259 2022-07-06T02:41:28Z VannevarKush 2546 /* Historical links */ wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booted from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. (is this right?) *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The latest Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The download links aren't archived, though; mainly it's useful for seeing the filenames. ==See Also== *[[Xbox Linux]] d931b9828f0d03977f263d49dc1df8ee4db3ea26 7264 7263 2022-07-06T03:46:51Z VannevarKush 2546 wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Debian''' - *'''Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booted from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. (is this right?) *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The latest Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The download links aren't archived, though; mainly it's useful for seeing the filenames. ==See Also== *[[Xbox Linux]] dbf9345c4f57d76017b8b681c23a37e25ce2c652 7265 7264 2022-07-06T03:48:55Z VannevarKush 2546 Undo revision 7264 by [[Special:Contributions/VannevarKush|VannevarKush]] ([[User talk:VannevarKush|talk]]) wikitext text/x-wiki When it was announced that the specifications of the Xbox were known to be very similar to an X86 PC, Xbox Linux was quickly considered as a possibility for getting getting cheap Linux PCs into the hands of the masses. The first Xbox exploits were created to make Xbox Linux possible, and were quickly repurposed by modders, while Linux remained a more niche application on the original Xbox. In the years while the Xbox was still being manufactured, it could function as a cheap daily driver Linux PC, and some users modded the controller ports into permanent USB ports, and even installed a VGA connector. But, as with all PCs they eventually became obsolete as cheaper, smaller hardware became available with similar processing power. Xbox Linux reached a point of stable releases [https://www.linuxjournal.com/article/6704 around 2003], and the development continued thereafter, providing support for 1.4 Xboxes and their Focus encoder chip, and even support for 1.6 Xboxes and their changes. The 2.4 kernel was primarily used for Xbox Linux. The 2.6 kernel patches that were developed appear stable and quite usable, but scattered functionalities from the 2.4 kernel were never ported over. ==Timeline== [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''November 15, 2001''' - Microsoft Xbox released in United States * '''c. [https://web.archive.org/web/20021013204521/https://www.xenatera.com/bunnie/proj/anatak/xboxmod.html 2001-2002 (when?)]''' - [https://en.wikipedia.org/wiki/Andrew_Huang_(hacker) Bunnie Huang] [https://web.archive.org/web/20030405173112/https://ece.gmu.edu/crypto/ches02/talks_files/Huang.pdf hacks the Xbox boot ROM decryption key], allowing a starting point for Xbox BIOS modification * '''February 22, 2002''' - Xbox released in Japan * '''March 14, 2002''' - Xbox released in Europe and Australia * '''May 23, 2002''' - Xbox Linux project founded by Michael Stiehl * '''July 2, 2002''' - Michael Robertson, CEO of Lindows.com, offered two $100,000 prizes for accomplishment of Xbox Linux goals by January 1, 2003. (He was coincidentally being sued at the time by Microsoft, for use of the name "Lindows") One of the prizes offered was for a demonstration of Linux running on an Xbox (with a $55,000 "subprize" for writing a bootloader) The other prize was for an exploit capable of getting Xbox Linux to run without hardware modification, ideally by using just a CD-ROM. * '''August 13, 2002''' - First kernel boot * '''October 7, 2002''' - First graphical desktop environment (KDE) * '''October 9, 2002''' - Mandrake Linux 9 released for Xbox. Users had to replace or flash the TSOP. * '''December 17, 2002''' - [[Cromwell]] BIOS/bootloader ready. The first of the $100,000 prizes was claimed, for running Linux on Xbox and developing a bootloader before January 1, 2003. * '''December 31, 2002''' - [https://www.theregister.com/2003/01/02/xbox_linux_donor_extends_prize/ Michael Robertson extends the prize deadline for the remaining prize.] * '''March 29, 2003''' - The second prize was claimed for the [[Exploits#007:_Agent_Under_Fire|007 hack]] by Habibi_xbox. (the game Frogger Beyond was initially hacked, but it wasn't released in Europe) This launched a minilinux via an exploit from a hacked savegame on an Xbox memory card, technically accomplishing the goal of using Linux on the Xbox without hardware modification. However, users had to start Linux via the hacked game save every time. * '''July 4, 2003''' - The [[Exploits#Font_hacks|font exploit]] is discovered, demonstrating the ability to run Linux from the hard drive with no modchip, a true "softmod". (but also opening Pandora's box of piracy, which Xbox Linux wanted to avoid association with.) The dashboard audio exploit was discovered soon afterwards. * '''July 7, 2003''' - A [https://www.mail-archive.com/bugtraq@securityfocus.com/msg11923.html official security release] is made about newly discovered Xbox security vulnerabilities, as responsible hackers should do * '''August 11, 2003''' - The Mechassault exploit was released by Jeff Mears, with full softmod conversion. Efforts were made to obfuscate the source to prevent uses for piracy More details [https://sourceforge.net/projects/xbox-linux/files/Presentations/20th%20Chaos%20Communication%20Congress/ here] ==Historical Distros== A number of distributions were released, built around the Xbox Linux-patched kernel. *'''[https://gentoox.shallax.com GentooX]''' - GentooX, unlike vanilla Gentoo, provided precompiled binaries to the user via a custom repository. These were binaries compiled specifically for the Xbox. GentooX had both Home and Pro editions, the Home edition built around a desktop environment and the Pro edition built around the CLI. GentooX was a popular and developed Xbox Linux distro. The website is [https://web.archive.org/web/20220328101921/https://gentoox.shallax.com/ still being archived], although it appears broken in Chrome. The latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Home/ GentooX Home] is 7.1, and the latest release of [https://sourceforge.net/projects/xbox-linux/files/Gentoox/Pro/ Pro] was 5.1, in 2009. Tested and working. Works from DVD. The pro version attempts to boot from the CD into GentooX loader, so be sure set your BIOS not to boot from CD if booting from CD doesn't work from you. Try Xromwell if GentooX loader doesn't work. *'''[https://web.archive.org/web/20050510000924/http://www.x-dsl.org/ X-DSL]''' - Based on Damn Small Linux, X-DSL was a lightweight Linux build. It used Knoppix patches to be able to boot to a desktop environment from small (<100MB) loop devices from FATX. It can also make a "native" install to the hard drive, or install to a larger loop device for a permanent setup. X-DSL is an easy version of historical Linux to try out today, since it can be launched and run entirely from drive E and that avoids some incompatibilities of Xbox Linux with larger hard drives. (if your hard drive is 3TB in order to get that extra .1TB of space, it may not work). The latest official version of X-DSL is 0.6, although there is an unofficial 0.7 floating around, among various other unofficial builds. X-DSL 0.6 can be found [https://sourceforge.net/projects/xbox-linux/files/X-DSL/X-DSL%20v0.6/ here]. The contents of the zip file can be copied to the root of E (so that linuxboot.cfg is in the root) and launched with Cromwell or GentooX, with no CD. The iso is also tested and working. *'''[https://web.archive.org/web/20060529005204/http://www.dynebolic.org:80/ Dyne:bolic Linux]''' - This is Rasta software! Dynebolic Linux is a multimedia creation, editing, and streaming focused distro that could boot as a liveCD on many systems, including original Xbox. Original Xbox support was ended in Dyne:bolic 2.x, but that uses the 2.6 kernel so it could theoretically be supported if someone felt like it. The latest version compatible with the Xbox is 1.4.1, [https://osarchive.sda1.eu/dyne-bolic available here]. This distro has a lot of toys and is fun to check out. Also, it works from DVD! (it does seem to have a low color depth in the desktop though...) *'''[https://web.archive.org/web/20100617005832/http://www.xbox-linux.org/wiki/XUbuntu xUbuntu]''' - Not related to the distro more commonly known as "xUbuntu". "xUbuntu is based on Ubuntu 5.10 (Breezy Badger) distribution without graphical environment. xUbuntu linux system can be run from CD or installed to a PC or Xbox hard drive. The install process, the kernel, the kernel modules and the desktop are customized for PC and Xbox (i386)." The latest version is 0.9.0, [https://sourceforge.net/projects/xbox-linux/files/xUbuntu/xUbuntu%200.9.0/ available here]. It needs to be burned to a CD instead of a DVD. *'''Ed's Xebian''' - Not related to the distro more commonly known as "Xebian". Does not appear to have a website. From the original Xbox Linux wiki, "With superb flexibility and ease of use, it can run off CD/DVD or it can be installed onto the Xbox hard drive in either the free space or the saved game area. The OS includes support for all versions of the Xbox, including those with Xcalibur video chips. Based on Debian stable (Sarge) with backports for newer software." The latest version is 1.1.4, [https://sourceforge.net/projects/xbox-linux/files/Ed_s%20Xebian/Xebian/ available here], which boots to desktop as a liveCD. It seems to require burning to a CD instead of DVD. *'''[https://web.archive.org/web/20060630100324/http://www.keckstar.com:80/nuke/html/index.php sXb]''' - Slackware for the Original Xbox. The versioning is a little unclear, but the most recent ISO on sourceforge is in the iso.gz file [https://sourceforge.net/projects/sxb/files/Sxbnew/SXBNEW-iso--dfb-xdirectfb/ here]. May need to be burned to CD. Reported "controller jammed" messages at startup, but one of my controller ports is busted. *'''Mandrake''' A Mandrake 9 was released and claimed to be the first full distribution on the Xbox, but apparently was not continued or supported. No known Web site. Does anyone have a copy of the original Xbox Linux Mandrake iso for archival purposes? It appears a 2005 "special edition" with the Xbox patches can be found [http://ftp.twaren.net/Linux/Mandrake/official/iso/10.1/i586/10.2/ here]. (Mandrake Linux was renamed to Mandriva Linux in 2005). Requires composite cable, at least on this 1.0 Xbox. Appears to require burning to a CD, instead of a DVD. *'''[https://web.archive.org/web/20060713072515/http://www.not404.com:80/cgi-bin/trac.fcgi/wiki/XFedora4 xFedora]''' A port of Fedora Core to the Xbox; essentially Fedora Core with Xbox patches. The latest version is 0.7.41, [https://sourceforge.net/projects/xbox-linux/files/Fedora/ available here]. I am unsure how to run it. *'''SuSE 8''' - There's a dead download link on the old wiki. Seems to have been abandoned *'''old xbox-linux iso''' The xbox-linux team released some preliminary ISOs during the development of Xbox Linux. *'''[https://web.archive.org/web/20051106185529/http://article.gmane.org/gmane.linux.ports.xbox.devel/5736 live-linux]''' An early Linux that 007 hack users tried; it booted from CD but could also boot from the hard drive. It was released up to 0.3, no known website, but here is [https://sourceforge.net/p/xbox-linux/mailman/message/10300266/ the announcement]. The latest image is [https://legacy.downloads.diomtec.com/homebrew/xbins/Console%20Based%20Applications/Operating%20Systems/linux/distributions/live-linux/live-linux.0.3.iso.bz2 available here]. The file boot/boot.cfg on the iso needs to be renamed to linuxboot.cfg. The video became garbled launching with both composite and component cables. (may need an old version of Cromwell; untested) This is a very basic minilinux distro, essentially a proof of concept. The linuxrc is a symlink to busybox. It comes with a 9MB image. *'''ltools''', a minilinux used in Xbox game save hacks, first designed to install Linux, but later repurposed to softmod the Xbox. (is this right?) *'''[https://sourceforge.net/projects/xboxhdm2/files/ xboxhdm]''' is a tool made by Idotsfan for softmodding locked Xbox hard drives, it's a PC-based CD-bootable set of Linux tools *'''XMugen''' packaged Mugen for Linux using a busybox in an initramfs, and used swap and game character data files located on FATX. It currently has issues with anything other than "F takes all" schemes. *'''Chimp''' is a tool for cloning and basic partitioning on Xbox hard drives. It runs from an initramfs. *'''[https://web.archive.org/web/20051214030132/http://nexus.il.fontys.nl:80/ FreeBSD/Xbox]''' - Not Linux per se, but it's a port of FreeBSD to the Xbox. It was officially integrated into FreeBSD as a set of optional patches. A NetBSD setup can be found [ftp://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/xbox/ here] but it requires the rootfs mounted on NFS. There might be a self contained ISO out there? ==Installing Old Distros== These liveCDs above should all be safe to try on your Xbox, but installation to your hard drive is more risky. It can be fine if you take the proper considerations. Here are the installation methods usually presented by the installers: '''Native Install''' This may not be compatible with softmods! '''Don't mess around with native installs on a locked hard drive or a hard drive that's not backed up! Flash your TSOP or hardmod first!''' This may wipe your hard drive, format it for Linux, and expect you to put Cromwell on your BIOS. It may also mean just formatting F and booting into it from Xromwell on FATX. So make sure you know which one it is! (the installer should tell you, if it's installing to F you should be fine) Any native install with a boot partition (launched via a hard drive icon in Cromwell/Xromwell) is NOT compatible with the XBPartitioner table, and installing it will overwite the XBPartitioner table. So "F takes all" is preferred here, for allowing coexistence with the stock partitions. '''If you have a native install, DO NOT USE XBPARTITIONER unless you want to remove Linux. Any XBPartitioner format will break Linux by wiping out the MBR that Linux uses to find its partitions.''' You can't have custom FATX partitions alongside a Linux native install. (So use a spare hard drive for a native install) '''Loopback Install''' This installs Linux to a file on the FATX filesystem. Your Linux filesystem will be contained within that file. This means that no repartitioning of your hard drive is necessary. This is a safer install method, if you have space for a small install on E, or if you are using an "F takes all" scheme with an Xbox partition on F. Drive F must end below the 137GB boundary, if doing a loopback install to it. (is that right?) XBPartitioner-defined partitions are not supported by official versions of Xbox Linux, it only looks for the stock partitions plus "F takes all". I am unsure of the behavior if the drive is bigger than F can be. Loopback installs should be safe if your FATX drive F is detected by Xbox Linux. In general, using a <137GB hard drive avoids these issues, although loopback installs can still be done on larger drives. It is not advisable to make changes on the FATX filesystem more than you have to in Xbox Linux. Mounting and reading FATX partitions is fine, but doing complex write operations should be avoided, just in case. The 2.4 kernel FATX support is thought to be more stable than in the 2.6 kernel. If you need to copy lots of files to your Xbox, do it via an Xbox dash using FTP. Simple operations on FATX should be fine, and the FATX support is not seriously unstable, but better to be safe. Loopback installs are considered to be stable, even though the files exist on FATX. ==Historical links== Much of the old Xbox Linux information now lives on archive.org. It is helpful if you come across anything useful, to add it here! * [https://sourceforge.net/projects/xbox-linux/ The latest Xbox Linux repository on sourceforge.] The mailing list archives can help answer esoteric questions about xbox linux, sometimes. The files section contains various Xbox Linux software and historical distribution isos. * [https://sourceforge.net/projects/xboxhdm2/files/ The xboxhdm repository.] It contains source and executables for many Xbox tools created and modified by Idotsfan. The X-DSL directory contains some information on the original Xbpartitioner table patches. * [https://web.archive.org/web/20100617000252/http://www.xbox-linux.org/wiki/Main_Page The "New" Xbox Linux wiki], which was online until 2011. * [http://web.archive.org/web/20050307163352/http://wiki.xbox-linux.org:80/ The original "Old" xbox linux wiki] * [https://web.archive.org/web/20050724003648/http://xbox-linux.sourceforge.net/cgi-bin/moin.cgi/FrontPage the "Old" xbox wiki on SourceForge.] * [http://web.archive.org/web/20040419204220/http://xbox-linux.org:80/ The "Old" xbox-linux website], before the website was replaced with the "new wiki". * [https://web.archive.org/web/20030204023051/http://sourceforge.net:80/project/showfiles.php?group_id=54192 The original Xbox Linux downloads page] on SourceForge. Distros are removed as they become unmaintained, so time travelling can be useful here to see all distros. The download links aren't archived, though; mainly it's useful for seeing the filenames. ==See Also== *[[Xbox Linux]] d931b9828f0d03977f263d49dc1df8ee4db3ea26 0 4039 7260 7217 2022-07-06T01:24:21Z VannevarKush 2546 /* See Also */ wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see '''[[Historical Xbox Linux]]'''. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see '''[[Xbox Linux Issues]]'''. For some guides and information that might help you get Xbox Linux up and running, see '''[[Xbox Linux Tips and Tricks]]'''. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, the founder of the Xbox Linux team * [https://www.ridemybike.org/command1.pdf In the beginning... Was the Command Line] by Neal Stephenson * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time * [https://www.youtube.com/watch?v=Fow7iUaKrq4 kill -9 by Monzy] (parental advisory: explicit content) 60069b239bd6d9097fc96c06e7a3b6ec7e5fb6e9 7261 7260 2022-07-06T01:26:16Z VannevarKush 2546 wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see '''[[Historical Xbox Linux]]'''. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see '''[[Xbox Linux Issues]]'''. For some guides and information that might help you get Xbox Linux up and running, see '''[[Xbox Linux Tips and Tricks]]'''. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==Inspiration== * [https://www.ridemybike.org/command1.pdf In the beginning... Was the Command Line] by Neal Stephenson * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] Some inspiration * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time * [https://www.youtube.com/watch?v=0rG74rG_ubs kill -9 by Monzy] (parental advisory: explicit content) ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, the founder of the Xbox Linux team 066006cc10a1d9d4060c1f4e823421b64c4372cc 7262 7261 2022-07-06T01:27:00Z VannevarKush 2546 /* Inspiration */ wikitext text/x-wiki The first Xbox Linux releases were in 2003, and Xbox Linux reached its peak of popularity in 2003-2006. To read more about it, see '''[[Historical Xbox Linux]]'''. Today, Xbox Linux has more of a hobbyist appeal. The former kernels of 2.4 and 2.6 were woefully out of date. To save the day, haxar has patched a modern kernel (5.8) with everything needed to run a terminal-based instance of Xbox linux. This kernel can be used as the basis for setting up modern Xbox Linux distributions. It would be possible to use Xbox Linux to bundle Linux setups and individual Linux applications, once the proper functionality is set up. Linux also has applications as a platform for investigating the Xbox hardware. ==Current Status== A CD-installable distro is currently being worked on. For a list of the current issues that are blocking functionality on Xbox Linux, see '''[[Xbox Linux Issues]]'''. For some guides and information that might help you get Xbox Linux up and running, see '''[[Xbox Linux Tips and Tricks]]'''. ==Links== * [https://github.com/haxar/xbox-linux Haxar's modifications] to the 5.8 kernel ** [https://github.com/XboxDev/xbox-linux-initramfs A basic initramfs] for use with that kernel ** [https://github.com/XboxDev/xbox-linux-busybox The busybox setup] used in that initramfs * [https://github.com/mborgerson/fatx mborgerson's FATX library], including a FUSE driver for FATX support in Linux * [https://github.com/alexwinger/ubuntu-cosmic Ubuntu Cosmic with FATX, DON'T USE THIS], there is no actual FATX code in this repo. It appears to be just a starting point for a FATX implementation in Linux. Posted here to save you the time of figuring that out for yourself. ==Inspiration== * [https://www.ridemybike.org/command1.pdf In the beginning... Was the Command Line] by Neal Stephenson * [https://www.usenix.org/system/files/1311_05-08_mickens.pdf The Night Watch] by James Mickens * [https://web.mit.edu/~simsong/www/ugh.pdf The UNIX Hater's Handbook] Some catharsis, from before the dawn of time * [https://www.youtube.com/watch?v=0rG74rG_ubs kill -9 by Monzy] (parental advisory: explicit content) ==See Also== * [[17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System|17 Mistakes Microsoft Made in the Xbox Security System]] by Michael Steil, the founder of the Xbox Linux team 005a15c124068e0fd9af3ce13829911032796e03 0 4038 7266 7249 2022-07-08T21:06:51Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell ([[Cromwell]] as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. "VERY IMPORTANT: As of 2004/10/27, v1.0 Xboxen with Xenium ICEs can only use Cromwell BIOS 2.30 and BELOW. This limits you to using 2.4 verison kernels. Cromwell 2.31 and higher changed the memory map so that 2.6 BIOSs can be be used. The problem with the Xenium on v1.0 boxes is believed to be a CPLD issue. The problem shows up when trying to start the 2.31+ BIOS. The box will power cycle twice, and then FRAG (Flashing Red And Green eject button). This may or may not be fixable. If you have a v1.1 or higher XBox, you won't have to concern yourself with this issue." ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 535df821cabc4210b437fbebe41a13dcb17b8309 7267 7266 2022-07-09T06:00:14Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell ([[Cromwell]] as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. "VERY IMPORTANT: As of 2004/10/27, v1.0 Xboxen with Xenium ICEs can only use Cromwell BIOS 2.30 and BELOW. This limits you to using 2.4 verison kernels. Cromwell 2.31 and higher changed the memory map so that 2.6 BIOSs can be be used. The problem with the Xenium on v1.0 boxes is believed to be a CPLD issue. The problem shows up when trying to start the 2.31+ BIOS. The box will power cycle twice, and then FRAG (Flashing Red And Green eject button). This may or may not be fixable. If you have a v1.1 or higher XBox, you won't have to concern yourself with this issue." ==IDE to SATA Adapter Issues with Cromwell== It was found testing on a stock and a 1.4 GHz Xbox, that there may be issues with IDE to SATA adapters. The PATA to SATA adapters tended to work, with or without a DVD drive, but did not work with a CF card on HDB. (this does work if hda is an IDE drive.) Cromwell never got to the boot menu with the Startech adapter. The quickness of the failure seemed to depend on the adapter and drive used. With one SSD, Cromwell would boot to a black screen, but not always, and it would sometimes detect an SSD before freezing. It appears there may be some kind of synchronization issue, but the nature of it is currently unclear. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 26b2241ddb1dcdef7b3bfc1bdb3ab4eee01cadee 7268 7267 2022-07-09T06:02:05Z VannevarKush 2546 /* IDE to SATA Adapter Issues with Cromwell */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell ([[Cromwell]] as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. "VERY IMPORTANT: As of 2004/10/27, v1.0 Xboxen with Xenium ICEs can only use Cromwell BIOS 2.30 and BELOW. This limits you to using 2.4 verison kernels. Cromwell 2.31 and higher changed the memory map so that 2.6 BIOSs can be be used. The problem with the Xenium on v1.0 boxes is believed to be a CPLD issue. The problem shows up when trying to start the 2.31+ BIOS. The box will power cycle twice, and then FRAG (Flashing Red And Green eject button). This may or may not be fixable. If you have a v1.1 or higher XBox, you won't have to concern yourself with this issue." ==IDE to SATA Adapter Issues with Cromwell== It was found testing on a stock and a 1.4 GHz Xbox, that there may be issues with IDE to SATA adapters. The PATA to SATA adapters tended to work, with or without a DVD drive, but did not work with a CF card on HDB. (this does work if hda is an IDE drive.) Cromwell never got to the boot menu with the Startech adapter. The quickness of the failure seemed to depend on the adapter and drive used. With one SSD, Cromwell would boot to a black screen, but not always, and it would sometimes detect an SSD before freezing. It appears there may be some kind of synchronization issue, but the nature of it is currently unclear. The main practical issue is supporting Startech adapters as they are faster and more reliable than the cheaper ones. Also, it was found that two adapters together (one on hda and one on hdb) in any combination did not work with Cromwell. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 19dc47961062b6d0fbf2187e0fb7651ed2a38980 7269 7268 2022-07-09T06:03:16Z VannevarKush 2546 /* Cromwell incompatibility with OpenXenium */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell ([[Cromwell]] as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. "VERY IMPORTANT: As of 2004/10/27, v1.0 Xboxen with Xenium ICEs can only use Cromwell BIOS 2.30 and BELOW. This limits you to using 2.4 verison kernels. Cromwell 2.31 and higher changed the memory map so that 2.6 BIOSs can be be used. The problem with the Xenium on v1.0 boxes is believed to be a CPLD issue. The problem shows up when trying to start the 2.31+ BIOS. The box will power cycle twice, and then FRAG (Flashing Red And Green eject button). This may or may not be fixable. If you have a v1.1 or higher XBox, you won't have to concern yourself with this issue." (is this only on 1.0 Xboxes?) ==IDE to SATA Adapter Issues with Cromwell== It was found testing on a stock and a 1.4 GHz Xbox, that there may be issues with IDE to SATA adapters. The PATA to SATA adapters tended to work, with or without a DVD drive, but did not work with a CF card on HDB. (this does work if hda is an IDE drive.) Cromwell never got to the boot menu with the Startech adapter. The quickness of the failure seemed to depend on the adapter and drive used. With one SSD, Cromwell would boot to a black screen, but not always, and it would sometimes detect an SSD before freezing. It appears there may be some kind of synchronization issue, but the nature of it is currently unclear. The main practical issue is supporting Startech adapters as they are faster and more reliable than the cheaper ones. Also, it was found that two adapters together (one on hda and one on hdb) in any combination did not work with Cromwell. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 79e2843340eb195fa52a963710b568bef81f2463 7270 7269 2022-07-09T08:54:20Z VannevarKush 2546 wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell ([[Cromwell]] as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. "VERY IMPORTANT: As of 2004/10/27, v1.0 Xboxen with Xenium ICEs can only use Cromwell BIOS 2.30 and BELOW. This limits you to using 2.4 verison kernels. Cromwell 2.31 and higher changed the memory map so that 2.6 BIOSs can be be used. The problem with the Xenium on v1.0 boxes is believed to be a CPLD issue. The problem shows up when trying to start the 2.31+ BIOS. The box will power cycle twice, and then FRAG (Flashing Red And Green eject button). This may or may not be fixable. If you have a v1.1 or higher XBox, you won't have to concern yourself with this issue." (is this only on 1.0 Xboxes?) ==IDE to SATA Adapter Issues with Cromwell== The SATA to IDE adapters (Startech and the "PATA TO SATA" ones) are sensitive to electromagnetic interference, and these can be unreliable with Cromwell. They might work when the cable is in one position, and not when it's in another position. This may account for reported issues with Chimp where it simply refuses to run on an Xbox. The difficulty here is that Xbios environment can be completely stable, but Cromwell and its variants freeze, fail to load, or work unreliably. Is this an issue with DMA mode detection? It should probably be fixed, although it is avoidable by following some best practices.. The solution for users is to use shorter cables (possibly placing the hard drive in the DVD area), and to try adjusting the cable position. ==Cromwell Initramfs Limitations== If too big of an initrd file is passed, the kernel boot freezes while "Starting Linux" is displayed. (Cromwell may be freezing here.) The current largest initramfs file that worked in Cromwell was about 7125kb. The reason for this is curerntly unknown; Cromwell provides about 34MB in its memory layout to be used for loading the initramfs. It is also currently unclear if initramfs files of >4MB are properly being parsed by the kernel. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] b1c3cf2480bc1cddbb3d42b7788cdbf12ff1043a 7271 7270 2022-07-09T09:29:55Z VannevarKush 2546 /* IDE to SATA Adapter Issues with Cromwell */ wikitext text/x-wiki Here is a list of issues that are blocking general functionality on [[Linux|Xbox Linux]]. ==Cromwell incompatibility with OpenXenium== This is overall a minor issue, in that Xromwell ([[Cromwell]] as an xbe) works fine as a workaround. However, booting into Cromwell directly on Xbox boot would be (very) convenient for Xbox Linux development, and it would allow the user to easily boot into Linux from the OpenXenium BIOS menu. "VERY IMPORTANT: As of 2004/10/27, v1.0 Xboxen with Xenium ICEs can only use Cromwell BIOS 2.30 and BELOW. This limits you to using 2.4 verison kernels. Cromwell 2.31 and higher changed the memory map so that 2.6 BIOSs can be be used. The problem with the Xenium on v1.0 boxes is believed to be a CPLD issue. The problem shows up when trying to start the 2.31+ BIOS. The box will power cycle twice, and then FRAG (Flashing Red And Green eject button). This may or may not be fixable. If you have a v1.1 or higher XBox, you won't have to concern yourself with this issue." (is this only on 1.0 Xboxes?) ==IDE to SATA Adapter Issues with Cromwell== The SATA to IDE adapters are sensitive to electromagnetic interference (Startech and the "PATA TO SATA" ones were tested), and these can be unreliable with Cromwell. They might work when the cable is in one position, and not when it's in another position. This may account for reported issues with Chimp where it simply refuses to run on an Xbox. The difficulty here is that Xbios environment can be completely stable, but Cromwell and its variants freeze, fail to load, or work unreliably. Is this an issue with DMA mode detection? It should probably be fixed, although it is avoidable by following some best practices.. The solution for users is to use shorter cables (possibly placing the hard drive in the DVD area), and to try adjusting the cable position. ==Cromwell Initramfs Limitations== If too big of an initrd file is passed, the kernel boot freezes while "Starting Linux" is displayed. (Cromwell may be freezing here.) The current largest initramfs file that worked in Cromwell was about 7125kb. The reason for this is curerntly unknown; Cromwell provides about 34MB in its memory layout to be used for loading the initramfs. It is also currently unclear if initramfs files of >4MB are properly being parsed by the kernel. ==Native Boot Partition Filesystem Compatibility with Cromwell== When booting a "native" install, Cromwell scans the MBR and looks for partitions that are flagged as bootable. If the partition is bootable, Cromwell attempts to determine the filesystem, and load linuxboot.cfg. If the user launches that instance, the kernel and the initrd will then be loaded from that partition. (The presence of initrd and kernel is not checked until launching) When setting up a native install, a boot partition formatted with ext2 worked fine as formatted by historical X-DSL. The linuxboot.cfg was detected, and Cromwell presented a hard drive icon to load the native install. When formatting the same partition using a modern distro, Cromwell does not detect the linuxboot.cfg, but it does detect the ext2 filesystem and attempts to read it without errors. (This has been tested by formatting on Gentoo, Debian, and from a Gentoo liveCD on the Xbox.) Something about the way these ext2 partitions are being formatted by modern tools is preventing the Xbox from reading files on them. Turning off the new ext2 features using mkfs.ext2 /dev/sdb1 -O ^resize_inode,^dir_index,^large_file,^ext_attr did not make a difference. Formatting this partition from modern Linux with vfat and no options also did not work. Formatting as Fat32 in Windows with EaseUs Partition Master did work. Note that Cromwell is able to read the root partition and get linuxboot.cfg from there even for larger root partitions (tested up to 80GB); a reserved boot partition is not strictly needed, but Cromwell still needs to be able to load the kernel and initrd. So the main question here is, what kind of partitions does Cromwell support? How can at least one kind of these partitions be reliably formatted using a terminal command in Linux? Or, can Cromwell be easily updated to support new filesystem developments? Since a boot partition is only needed for Cromwell to load the kernel and initrd, it would be acceptable for a more archaic filesystem configuration to be used as the boot partition, which would still give users the freedom to format the root partition with the kernel-supported filesystem of their choice (which is basically the point of a boot partition.) Ext2 is not necessarily the only option here either. ==XBPartitioner Table and MBR Incompatibility== This issue is relevant to native Linux installs. In a native Linux install, the user formats empty regions of their hard drive and adds an MBR to the hard drive, which is used by Cromwell to access the Linux boot partition and subsequently load linuxboot.cfg, the kernel, and the initrd. The way that Cromwell is currently set up, it can't find Linux partitions without the MBR. The MBR partitioning/boot scheme uses a 512 byte record at the beginning of the drive. Since the actual boot data isn't needed on Xbox, the first 440 bytes are filled with zeroes when using fdisk, and can be considered unused here. [[http://www.sharetechnote.com/html/Linux_MBR.html MBR layout information]] The [[FATX]] filesystem has a config area of 1024 sectors (512K) starting at the beginning of the drive. The first 48 bytes are officially used, the rest can be zeroes, but later in the config area is where XBLA information is stored. On a stock-formatted Xbox hard drive, the contents of the early config area don't seem to matter much to ind-BIOS (tested), although Insignia may use the later XBLA regions in the future. If a stock FATX config area has its first 512 bytes overwritten by an MBR, it is not known to cause problems with any other Xbox functionality. (based on the fact that native Linux installs have been run in this way for years) The problem arises with the XBPartitioner table, a custom partitioning scheme for Xbox hard drives that was never officially supported by Xbox Linux. It is common on Xboxes with larger hard drives. The XBPartitioner table provides 14 partition "slots" for FATX partitions, and it allows users to format their Xbox hard drive with additional FATX partitions. The partition table is written into unused space in the FATX config area, immediately after the initial stock data. XBPartitioner wipes the remaining bytes of the config area when writing a partition table including any MBR contents; other tools are untested so far. And fdisk overwrites the first 512 bytes of the FATX config area with an MBR, replacing the first 440 bytes with zeroes. Another issue arises in that the two partitioning schemes overlap, even if only the necessary data were written for both XBPartitioner table and MBR; that is if they didn't write the zeroes. This struct shows the layout of the config area, followed by the partition entry struct. From the unofficial XBPartitioner patches for the old Xbox kernel: <syntaxhighlight lang="c"> // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char magic[16]; char reserved[32]; XBPartitionerTableEntry partitions[FATX_XBPARTITIONER_PARTITIONS_MAX]; } XBPartitionerTable; // Temporary struct used to load XBPartitioner data directly from disk. typedef struct { char name[16]; u32 flags; u32 start; u32 size; u32 reserved; } XBPartitionerTableEntry; </syntaxhighlight> The XBPartitioner table entries start at 48 bytes, and each partition's entry is 32 bytes in size. With 14 partitions, the XBPartitioner table ends at 496 bytes, and overwrites a good chunk of the relevant MBR content, which starts at 440 bytes. So tool modification alone can't make these schemes compatible. The XBPartitioner table has no metadata, only partition entries, and has no known way of redefining the number of available partitions. However, if the XBPartitioner table only had 12 partitions, the partition table would end at 432 bytes and the two schemes could coexist. ===Possible Solutions=== ====F Takes All==== This was the typical scheme used by historical Xbox Linux. The area after E would be used for Linux partitions. With larger hard drives available, there is a need for Xbox Linux to coexist with other content on the user's drive. This is okay when the user doesn't want to later modify the partition layout of their hard drive using XBPartitioner, and they want to reserve that hard drive primarily for Linux. ====A 12 partition XBPartitioner Table==== This would involve attempting to get general acceptance of changing the XBPartitioner spec to 12 partitions, so it doesn't overlap with MBR. Or providing a custom set of tools and bioses that support this. '''Pros''' * Cromwell would not need to be modified significantly * The 512 byte boundary could be considered the starting point for future config area modifications * Very few users have more than 7, much less 14 partitions on their Xbox which provide little practical use * Any Linux PC can easily mount the Linux partitions '''Cons''' * Lots of software would need to be updated, including BIOSes, partitioning tools, and disk formatting tools in Xbox Linux and on PC. There might be a more elegant solution. ====Using the XBPartitioner Table To Define Linux Partitions==== '''Pros''' * No partitioning scheme incompatiblity management * No dual partitioning scheme; both Linux and Xbox tools would have awareness of the full drive partition table, to avoid accidentally creating overlapping partitions * Unused per-partition flags in the XBPartitioner table could be used to mark partitions as Linux as a future standard * Scripts utilizing dd to read the XBPartitioner table could be used as a stopgap before full kernel support is developed '''Cons''' * The Cromwell Grub code would need to be modified to use the XBPartitioner table in place of MBR (this may not be overly complicated) * Scripts, tools, or kernel support will be needed in order to mount these partitions in Linux, both on the Xbox and on other PCs * Any tools used to mount Linux partitions and edit their characteristics would have to be updated to support it, primarily apps that mount non-FATX partitions. This could be simple * FATX kernel support would need to be ported for a long term performant solution. (fatxfs performance still needs to be evaluated on Xbox, as an alterative option) * The user is limited to 14 total partitions; with F and G they have 7 partitions which is enough for 3 Linux installs (3 boot partitions, 3 data partitions, and shared swap). It would be workable though for most use cases. ====Using Contiguous Files Allocated on FATX as a Filesystem==== This was proposed by mborgerson, as an option to avoid dealing with partition tables at all. Since coexistence of Linux filesystems with FATX is desired, and there are incompatibilities in the current partition table schemes, and correcting this would take a great deal of effort, it was suggested to contain the raw partition data on FATX partitions. A FATX Linux utility could scan a FATX partition for contiguous available space. It could then allocate several 4GB files (the FATX file size limit) across that range of space. Then, the entire range of sectors could be formatted a Linux partition or group of partitions by sector range, and a distribution installed there. '''Pros''' * This avoids modifying partition tables at all, so we don't have to worry about changing existing standards. * The tool fatxfs provides a starting point for interacting with the FATX filesystem without kernel FATX support. FATX partitions only need to be temporarily accessed as such, and once the contiguous files are created and their sector range is known, Linux can work with that area of the disk directly. After starting up and mounting any partitions, Linux does not strictly need any knowledge of FATX. * Contiguous files can be checked for contiguity before mounting to avoid overwriting other data * Users could reserve a FATX partition for Linux in XBPartitioner and then use Linux to fill it with contiguous files, the end result should be equivalent to formatting a partition and using MBR to access it, although the mounting process would differ. * Swap could be shared between Linux installs as long as some kind of common file/directory name or other method is used to detect shared swap on a FATX partition. * Users can place the kernel and intitrd on FATX partitions and launch using existing Cromwell functionality for loading from FATX, so no boot partitions are needed here * This could also address the issue of [[Xbox Linux Issues#Lack of FATX Kernel Support|kernel support being needed to mount loop devices]]. But see the "cons" section about FTP-ing images to the hard drive '''Cons''' * A custom tool would be needed to access and mount these partitions, both on the Xbox and outside of it. This is still much simpler to address than the issues in the previous proposals. * The user's filesystem may be fragmented in about the same manner as a FAT filesystem. In order to create space for contiguous files, defragmentation may be needed, especially on partitions which have seen a lot of use and re-use. * If a user downloads these contiguous files and FTPs them to their Xbox, these files may become fragmented. (It is not fully understood in what situations the BIOS decides to fragment a file.) In order for FTP to work for sharing these files, a utility would have to be able to "defragment" an image and place the data in the right order on the hard drive, without gaps. This could take some time for larger images. One option would be to defragment the drive first and then have Linux handle the FTP part to make sure it gets transferred correctly. ===Mounting a Range of hda as a Loop Device=== (fill out) ==Lack of FATX Kernel Support== Loop devices are a common method of packaging Xbox Linux installations, in order to avoid modifying the partition table on the Xbox hard drive. A loop device is a filesystem image that can be mounted from within another filesystem. When put on a FATX partition, they allow Xbox Linux to be run from the hard drive without modifying the user's partition table at all. These setups can be used to bundle Linux builds and other apps for easy distribution. (XMugen, for instance.) The current Xbox Linux patches don't port over the support for mounting the FATX filesystem in Linux. This is because the underlying code has changed significantly in a few places since then. [[User:VannevarKush]] is working on porting the old FATX code to the kernel for native support, but it is a work in progress. The lack of native FATX support means that mounting loop devices can't be done. Right now, native install and live CDs are the current available boot options for Xbox Linux. The FUSE based fatxfs [https://github.com/mborgerson/fatx code by mborgerson] may be usable as a stopgap, although its performance hasn't been evaluated yet on an Xbox. ==Advanced Video Support== The Xbox Linux kernel currently only uses the most basic video support available (defined by CONFIG_FRAMEBUFFER_SIMPLE in the kernel config). More advanced support may be needed to run desktop environments and to run graphical applications with better performance. Does code need to be merged over from the original sources for xbox video? ==See Also== *[[Xbox Linux Tips and Tricks]] *[[Xbox Linux]] 2e9652dd9599ad7052562bb7d1fb0fe6882d235c 2 4044 7272 2022-07-12T17:55:31Z John 2547 Creating my user page... wikitext text/x-wiki Hi there. I'm John. I'm @jj5 on libera.chat. I've just started learning about OGXbox... there's a lot to learn! 44020624645395b62e27fdfc5e8a8ee503b2ddb5 0 3789 7273 6373 2022-07-26T05:30:30Z Ryzee119 2519 wikitext text/x-wiki == USB Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). OHCI supports USB devices up to USB1.1 12Mbits/s. The OHCI hardware also supports Low Speed USB (1.5MBit/s) it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: FIXME <pre> USB0: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> <pre> USB1: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ The Inspiration Room - Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 === Sources === *[https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] *[http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] *[https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html 202e39b37337b57c473ad62969debc63285a2f93 7274 7273 2022-07-26T05:30:46Z Ryzee119 2519 /* USB Controllers */ wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). OHCI supports USB devices up to USB1.1 12Mbits/s. The OHCI hardware also supports Low Speed USB (1.5MBit/s) it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: FIXME <pre> USB0: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> <pre> USB1: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ The Inspiration Room - Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 === Sources === *[https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] *[http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] *[https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html a53dc5d5c8e6cda60428a07b61feea5222cdf589 7275 7274 2022-07-26T05:31:34Z Ryzee119 2519 /* USB Host Controllers */ wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). OHCI supports USB devices up to USB1.1 12Mbit/s. The OHCI hardware also supports Low Speed USB (1.5MBit/s) it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: FIXME <pre> USB0: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> <pre> USB1: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ The Inspiration Room - Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 === Sources === *[https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] *[http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] *[https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html d8cf23555c4fa924801d8d3b7f555683b12bbcd6 7276 7275 2022-07-26T05:32:02Z Ryzee119 2519 /* USB Host Controllers */ wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). OHCI supports USB devices up to USB1.1 12Mbit/s. The OHCI hardware also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: FIXME <pre> USB0: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> <pre> USB1: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ The Inspiration Room - Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 === Sources === *[https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] *[http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] *[https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html 8ff85a26e736c580a285d7420d2b7f36bf69e695 7279 7276 2022-07-26T05:35:09Z Ryzee119 2519 Move Xboxcam info to its own page wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). OHCI supports USB devices up to USB1.1 12Mbit/s. The OHCI hardware also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: FIXME <pre> USB0: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> <pre> USB1: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: NoPowerSwitching: PowerSwitchingMode: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> 8f9751bbfc4a41e04d674a9a234f6d53d0d36d98 7281 7279 2022-07-26T10:28:03Z Ryzee119 2519 Add RhPortDescriptor info wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). OHCI supports USB devices up to USB1.1 12Mbit/s. The OHCI hardware also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: FIXME <pre> USB0: HcRevision: HcFmInterval: 0x22ed8 (Note: Slightly different from OHCI spec of 0x2EDF) HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: HcFmInterval: HcRhDescriptorA: NumberDownstreamPorts: PowerSwitchingMode: NoPowerSwitching: DeviceType: OverCurrentProtectionMode: NoOverCurrentProtection: PowerOnToPowerGoodTime: HcRhDescriptorB: DeviceRemovable: PortPowerControlMask: </pre> 4a681a0c6362e81741402d4839072b4248f1bf77 7282 7281 2022-07-26T10:38:56Z Ryzee119 2519 Add HcRhDescriptorA for USB1 wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). OHCI supports USB devices up to USB1.1 12Mbit/s. The OHCI hardware also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: FIXME <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> 019a548ad75fc8f5e04a5a6a872132572cb2404a 7283 7282 2022-07-26T10:43:14Z Ryzee119 2519 Add USB0 and USB1 IRQ channels wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult the use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> 59b090854bb0e96c159bea6b8bf3e110c97c892f 7284 7283 2022-07-26T10:46:10Z Ryzee119 2519 Fix type wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard: <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> f0465dafe48ff8c9a0c9f235b8cae49382fb2a2d 7285 7284 2022-07-26T10:52:16Z Ryzee119 2519 wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard (Obtained from a Retail v1.6 PAL Xbox): <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> 8d58d297b241e0942da03aab7efd074862778142 7286 7285 2022-07-26T11:08:33Z Ryzee119 2519 wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard (Obtained from a Retail v1.6 PAL Xbox): <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> == V1.0 Xboxes == V1.0 Xbox consoles differ in that they contain an internal 4 Port USB Daughterboard. The daughterboard is connected to Port 1 of the OHCI Root Hub. The 4 downstream ports of the daughterboard are then fed to the 4 front panel game controller ports. In this instances Ports 2,3 and 4 on the OHCI Root Hub are not connected. To determine where the Xbox software should look for gamecontrollers a kernel export is used to indicate if this daughterboard is present. Bit 1 of export variable XboxHardwareInfo determines whether the daughterboard is present. == Port Numbering == The front gamecontroller ports are not connected sequentially to the OHCI Root Hub ports or the Daughterboard. The following port mapping applies to all Xbox revisions: <pre> Game controller Port 1,2,3,4 are connected to 3,4,2,1 respectively of the RootHub or Daughterboard Ports. </pre> 4abfb8ab97ae51d3a2891b4b4c623871b39ac8dc 7287 7286 2022-07-26T11:09:25Z Ryzee119 2519 Add Daughterboard URL wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard (Obtained from a Retail v1.6 PAL Xbox): <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> == V1.0 Xboxes == V1.0 Xbox consoles differ in that they contain an internal 4 Port USB Daughterboard (https://xboxdevwiki.net/Motherboard#USB_Daughterboard). The daughterboard is connected to Port 1 of the OHCI Root Hub. The 4 downstream ports of the daughterboard are then fed to the 4 front panel game controller ports. In this instances Ports 2,3 and 4 on the OHCI Root Hub are not connected. To determine where the Xbox software should look for gamecontrollers a kernel export is used to indicate if this daughterboard is present. Bit 1 of export variable XboxHardwareInfo determines whether the daughterboard is present. == Port Numbering == The front gamecontroller ports are not connected sequentially to the OHCI Root Hub ports or the Daughterboard. The following port mapping applies to all Xbox revisions: <pre> Game controller Port 1,2,3,4 are connected to 3,4,2,1 respectively of the RootHub or Daughterboard Ports. </pre> ec8ab97371a6d5136928778e9e21d397850ece7b 7288 7287 2022-07-26T11:11:25Z Ryzee119 2519 Spelling wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard (Obtained from a Retail v1.6 PAL Xbox): <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> == V1.0 Xboxes == V1.0 Xbox consoles differ in that they contain an internal 4 Port USB Daughterboard (https://xboxdevwiki.net/Motherboard#USB_Daughterboard). The daughterboard is connected to Port 1 of the OHCI Root Hub. The 4 downstream ports of the daughterboard are then fed to the 4 front panel game controller ports. In this instances Ports 2,3 and 4 on the OHCI Root Hub are not connected. Xbox software uses a kernel export to determine which ports to use when looking for gamecontrollers. Bit 1 of export variable XboxHardwareInfo determines whether the daughterboard is present. If set, the daughterboard is present. == Port Numbering == The front gamecontroller ports are not connected sequentially to the OHCI Root Hub ports or the Daughterboard. The following port mapping applies to all Xbox revisions: <pre> Game controller Port 1,2,3,4 are connected to 3,4,2,1 respectively of the RootHub or Daughterboard Ports. </pre> 895c1c985cfae836d884d76a14ac480800df4011 7290 7288 2022-08-01T03:33:01Z Ryzee119 2519 wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard (Obtained from a Retail v1.6 PAL Xbox): <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> == V1.0 Xboxes == V1.0 Xbox consoles differ in that they contain an internal 4 Port USB Daughterboard (https://xboxdevwiki.net/Motherboard#USB_Daughterboard). The daughterboard is connected to Port 1 of the OHCI Root Hub. The 4 downstream ports of the daughterboard are then fed to the 4 front panel game controller ports. In this instances Ports 2,3 and 4 on the OHCI Root Hub are not connected. Xbox software uses a kernel export to determine which ports to use when looking for gamecontrollers. Bit 0 of export variable XboxHardwareInfo determines whether the daughterboard is present. If set, the daughterboard is present. == Port Numbering == The front gamecontroller ports are not connected sequentially to the OHCI Root Hub ports or the Daughterboard. The following port mapping applies to all Xbox revisions: <pre> Game controller Port 1,2,3,4 are connected to 3,4,2,1 respectively of the RootHub or Daughterboard Ports. </pre> 3e6e4e05b1e775e408b9f63e26b75c57d23ca695 7297 7290 2022-11-11T21:13:00Z Ryzee119 2519 /* V1.0 Xboxes */ Typo instances to instance wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard (Obtained from a Retail v1.6 PAL Xbox): <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> == V1.0 Xboxes == V1.0 Xbox consoles differ in that they contain an internal 4 Port USB Daughterboard (https://xboxdevwiki.net/Motherboard#USB_Daughterboard). The daughterboard is connected to Port 1 of the OHCI Root Hub. The 4 downstream ports of the daughterboard are then fed to the 4 front panel game controller ports. In this instance Ports 2,3 and 4 on the OHCI Root Hub are not connected. Xbox software uses a kernel export to determine which ports to use when looking for gamecontrollers. Bit 0 of export variable XboxHardwareInfo determines whether the daughterboard is present. If set, the daughterboard is present. == Port Numbering == The front gamecontroller ports are not connected sequentially to the OHCI Root Hub ports or the Daughterboard. The following port mapping applies to all Xbox revisions: <pre> Game controller Port 1,2,3,4 are connected to 3,4,2,1 respectively of the RootHub or Daughterboard Ports. </pre> 98428314baf58a6c3840a948999510f1a78b471d 7298 7297 2022-11-11T21:14:17Z Ryzee119 2519 /* Port Numbering */ reword and fix error wikitext text/x-wiki == USB Host Controllers == Xbox hardware contains two OHCI USB Host controllers within the MCPX southbridge. The two controllers are designated USB0 and USB1. On retail consoles USB0 is connected to the 4 front panel game controller ports. Although USB1 is available, it is not enabled in retail titles and it is not mapped out of the MCPX, so it is difficult to use in homebrew. The USB controllers are configured and accessed over MMIO. See https://xboxdevwiki.net/Memory. The memory structure follows the standard OHCI specification (OHCI Spec Table 7-1). * USB0 is on PCI Bus 0, device 2, function 0 and is connected to IRQ1. * USB1 is on PCI Bus 0, device 3, function 0 and is connected to IRQ9. OHCI supports USB devices up to USB1.1 12Mbit/s. OHCI also supports Low Speed USB (1.5MBit/s) however it appears that the retail XDK host stack does support Low Speed devices. Xbox hardware has the following specific OHCI register values set by the system firmware that may differ from the standard (Obtained from a Retail v1.6 PAL Xbox): <pre> USB0: HcRevision: 0x10 HcRhDescriptorA: 0x01001204 NumberDownstreamPorts: 4 (Four downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 1 (No overcurrent protection supported) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> <pre> USB1: HcRevision: 0x10 HcRhDescriptorA: 0x01000202 NumberDownstreamPorts: 2 (Two downstream ports) PowerSwitchingMode: 0 (All ports are powered at the same time) NoPowerSwitching: 1 (Ports are always powered on when the HC is powered on) DeviceType: 0 (Not a compound device - always 0 for Roothubs) OverCurrentProtectionMode: 0 (Over-current status is reported collectively for all downstream ports) NoOverCurrentProtection: 0 (Over-current status is reported collectively for all downstream ports) PowerOnToPowerGoodTime: 1 (2ms Power on to good time) HcRhDescriptorB: DeviceRemovable: 0 (Device not removable) PortPowerControlMask: 0 (Power Control Mask not set) </pre> == V1.0 Xboxes == V1.0 Xbox consoles differ in that they contain an internal 4 Port USB Daughterboard (https://xboxdevwiki.net/Motherboard#USB_Daughterboard). The daughterboard is connected to Port 1 of the OHCI Root Hub. The 4 downstream ports of the daughterboard are then fed to the 4 front panel game controller ports. In this instance Ports 2,3 and 4 on the OHCI Root Hub are not connected. Xbox software uses a kernel export to determine which ports to use when looking for gamecontrollers. Bit 0 of export variable XboxHardwareInfo determines whether the daughterboard is present. If set, the daughterboard is present. == Port Numbering == The front gamecontroller ports are not connected sequentially to the OHCI Root Hub ports or the Daughterboard. The following port mapping applies to all Xbox revisions: <pre> Game controller Port 1,2,3,4 are connected to USB hardware port 3,4,1,2 respectively. </pre> b5a875e9e5b8708e85beb3f283d1badc8f27107b 0 1 7277 7043 2022-07-26T05:34:00Z Ryzee119 2519 /* Hardware */ wikitext text/x-wiki {{:Main Page/Header}} __NOTOC__ == Hardware == * [[Chihiro]] * [[Xbox]] * [[Hardware Revisions]] * [[Motherboard]] * [[CPU]] * [[NV2A]] ** [[NV2A/Vertex attributes]] ** [[NV2A/Fixed Function Pipeline]] ** [[NV2A/Vertex Shader]] ** [[NV2A/Pixel Combiner]] ** [[NV2A/Surface Formats]] * [[Memory]] * [[Flash ROM]] * [[MCPX]] ** [[LPC_Debug_Port|LPC]] ** [[APU]] *** [[DSP]] ** [[ACI]] ** [[Network]] * [[PCI]] * [[SMBus]] ** [[EEPROM]] ** [[SMC]] ** [[Video Encoder]] *** [[AV Cables]] * [[DVD Drive]] ** [[Xbox Game Disc]] * [[Hard Drive]] ** [[Config Sector]] * [[USB]] ** [[Xbox Input Devices]] ** [[Xbox Memory Unit]] ** [[Xbox Live Communicator]] <!-- Maybe rename this to microphones later? --> ** [[Xbox DVD Movie Playback Kit]] ** [[Xbox Cam (for Video Chat)]] * [[Power Supply]] * [[Development Kits]] ** [[Super I/O]] ** [[DVD Emulator]] * [[Manufacturing Process]] == System Software == * [[MCPX ROM]] * [[BIOS]] / [[Kernel]] ** [[Boot Process]] ** [[XBE]] (Executable file format) * [[FATX]] (Filesystem) * [[Xbox ADPCM]] * [[Dashboard]] ** [[Soundtracks]] ** [[Fatal Error]] * [[Exploits]] == Development Kits and Tools == * [https://github.com/xqemu/nxdk nxdk (New Xbox Development Kit)] * [[OpenXDK]] * [[Microsoft XDK]] ** [[Xbox Title Libraries]] ** [[Direct3D]] ** [[DirectSound]] ** [[System Link]] ** [[Xbox Live]] *** [[Xbox Live/Connection Test|Connection Test]] *** [[Xbox Live/Machine Account|Machine Account]] ** [[Xbox Debug Monitor]] ** [[Xbox Neighborhood]] ** [[Kernel_Debug|Xbox Kernel Debugging]] == Games == * [[:Category:Games|Games]] * [[Engine List]] == Emulation == * [[Emulators]] ** [[Xemu|xemu]] ** [[Cxbx-Reloaded]] ** [[XQEMU]] ** [[Fusion]] ** [[Fission]] == Operating Systems == * [[Linux]] * [[ReactOS]] == Historical Pages == (archived from the xbox-linux wiki) * [[Xbox Hard Drive Locking Mechanism]] * [[Xbox Savegame System]] * [[Xbox Hardware Overview]] * [[Xbox Hard Disk Technical_Details]] * [[Xbox Hard Disk Partitioning]] * [[Xbox Manufacturing Process]] * [[The Hidden Boot Code of the Xbox]] * [[PIC]] * [[SMBus]] * [[NForce]] * [[17 Mistakes Microsoft Made in the Xbox Security System]] * [[Porting an Operating System to the Xbox HOWTO]] == Other == * [[Patents]] * [[Resources]] ccb9a2914582658bad9a8c86e35721b80ff9f14d 0 4045 7278 2022-07-26T05:34:42Z Ryzee119 2519 Create Xbox Cam page wikitext text/x-wiki == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ The Inspiration Room - Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 === Sources === *[https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] *[http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] *[https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html 8053a14de3a0976e650dd5cf8edb5db71b2a89f9 0 3829 7280 6865 2022-07-26T06:07:16Z Ryzee119 2519 /* Protocol */ wikitext text/x-wiki The Xbox Live Communicator is the headset which is used for Xbox Live. [[File:Xbox_Live_Communicator.png|thumb|200px|Headset / Xbox Live Communicator]] [[File:XBCommunicator-front.jpg|thumb|200px|PCB Front]] [[File:XBCommunicator-back.jpg|thumb|200px|PCB Back]] == Protocol == The Xbox Live Communicator (XBLC) is a a USB1.1 compliant device with two interfaces. One for Microphone and one for a mono speaker. The speaker and microphone interface each has a single isochronous endpoint. The speaker and microphone are differentiated by the direction of the isochronous endpoint in the Interface descriptor. The headset supports the following audio sample rates (All at signed 16bit LE PCM samples). The units are in samples per second. The microphone and speaker cannot have separate sample rates. * 8000 * 11025 * 16000 * 22050 * 24000 If a sample rate does not divide evenly into USB frame 1ms blocks, the Host Controller driver is responsible for adding an additional sample every n frames. The formula for calculating this is: <pre>n = 1000 / (sample_rate % 1000)</pre> For example at 11025 Hz, retail titles will add/request an extra sample every 40 USB frames. == USB Interface == === Set Sample Rate === The Sample Rate for the speaker and microphone is set by a control transfer to endpoint 0 of the device. The transfer has the following format (Ref USB2 Spec 9.3) <pre> bmRequestType = Host-to-device | Vendor | Interface (0x41) bRequest = SET_FEATURE (0x03) wValue = 0x100 | sample_rate wIndex = 0x0000 wLength = 0x0000 </pre> Where sample_rate = 0 for 8000, up to 4 for 24000. === Unknown Command === A secondary control transfer has been observed in retail titles, however its purpose is not clear. It is believed to be for enabling/disabling Auto Gain Control for the Microphone. The transfer has the following format: <pre> bmRequestType = Host-to-device | Vendor | Interface (0x41) bRequest = SET_FEATURE (0x03) wValue = 0x0001 or 0x0000 (enable or disable?) wIndex = 0x0001 wLength = 0x0000 </pre> Where wValue = 0 or 1 to enable or disable this feature === USB Descriptor === <pre> Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 45 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Microphone === {{FIXME}} === Speaker === {{FIXME}} ==== Links ==== * [https://github.com/JayFoxRox/xbox-tools/tree/4bc808e187311010f850d7fbd9af4b76bed90727/communicator-tool Code for accessing the communicator microphone and speaker] * [https://web.archive.org/web/20200521011406/http://www.kako.com/neta/2005-009/uac3556b.pdf Datasheet for UAC 3556B (close to the 3560B that the Xbox Communicator uses] 4395742e7a67df23399b8ea07024621500fb0539 0 3706 7289 7038 2022-07-30T17:52:20Z Thrimbor 2531 "Standard Windows format" is actually a UNIX timestamp wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. UNIX timestamp format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from (UNIX timestamp format). |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == LibraryVersion Table == {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |- ! 0x0008 ! 0x0002 | Major Version | Major version for this library (2-byte WORD). |- ! 0x000A ! 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |- ! 0x000C ! 0x0002 | Build Version | Build version for this library (2-byte WORD). |- ! 0x000E ! 0x0002 | Library Flags | Various flags for this library. The fields are: QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: {{FIXME}} [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 50147c36799275bad9b7429ecc59c7ce428fd1e5 7292 7289 2022-09-07T01:27:16Z Edness 2544 /* Title ID */ wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. UNIX timestamp format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from (UNIX timestamp format). |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == LibraryVersion Table == {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |- ! 0x0008 ! 0x0002 | Major Version | Major version for this library (2-byte WORD). |- ! 0x000A ! 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |- ! 0x000C ! 0x0002 | Build Version | Build version for this library (2-byte WORD). |- ! 0x000E ! 0x0002 | Library Flags | Various flags for this library. The fields are: QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KN || Konami |- | KO || KOEI |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: 45410017 [EA-023] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 996797f16c71da25e1f6a24526af64780d57702a 0 3765 7291 6683 2022-08-27T13:34:38Z KaosEngineer 2482 fixed typo under AMD Heritage section - bee -> been wikitext text/x-wiki {{retrieved|http://www.xbox-linux.org/wiki/NForce}} This documents collects information about the Xbox chipset and its sibling, the nVidia nForce chipset, as well as further relatives. == nForce == The nForce chipset consists of the IGP (Integrated Graphics Processor) Northbridge and the MCP (Media and Communications Processor) Southbridge. Both are available in different flavours: * IGP-64: 64 bit memory bus * IGP-128: 128 bit memory bus (TwinBank), requires two DIMM modules for 128 bit operation * MCP-D: includes Dolby Digital encoder * MCP: Dolby Digital encoder disabled So these are the four possible combinations: {| class="wikitable" |- | | MCP | MCP-D |- | IGP-64 | nForce 220 | nForce 220D |- | IGP-128 | nForce 420 | nForce 420D |} [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/05/31/nvidia_crush_chipset_named_nforce/] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/06/01/nvidia_crush_is_called_nforce/] The VGA controller inside the IGP is a "GeForce2 MX Integrated Graphics" (PCI ID:10de/01a0). Its internal name is NV1A. [https://web.archive.org/web/20100617023830/http://pciids.sourceforge.net/iii/?i=10de] [https://web.archive.org/web/20100617023830/http://www.nvitalia.com/articoli/editoriali/produzione_nvidia_2001.htm] Although IGP-64 and IGP-128 are different and their respective chipsets have different codenames (Crush11 and Crush12, see below), there seems to be no difference from the software side: * The VGA BIOS of the MS-6367 mainboard (nForce 420D configuration, i.e. Crush12) has the internal name "CR11BT.ROM". It also includes the strings "NVIDIA GeForce2 Integrated GPU", "CR11 Board" and "Chip Rev B2". * The PCI IDs seem to be the same for the GPUs inside IGP-64 and IGP-128. == Crush == "Crush" was the codename of the nForce chipset. Crush11 is the nForce 220/220D/230/230-T, Crush12 is the nForce 420/420D/430/430-T, and Crush18 is the nForce2. The "11" probably derives from "NV11", the internal name of the GeForce2 MX. [https://web.archive.org/web/20100617023830/http://users.erols.com/chare/chipsets.htm] [https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2000/11/17/nvidias_super_secret_crush_spec/] == nForce &amp; Xbox == The Xbox has an IGP-128 that uses an NV2A video core (PCI ID:10de/02a5), which is between the GeForce3 (NV20) and the GeForce4 (NV25). The Southbridge is called "MCP-X" and lacks the PCI card bus (PCI bus #1). [https://web.archive.org/web/20100617023830/http://www.digit-life.com/articles/nvidianforce/] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/showdoc.html?i=1484] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=1535] [https://web.archive.org/web/20100617023830/http://www.anandtech.com/systems/showdoc.aspx?i=1561&amp;p=3] == AMD Heritage == There is the following rumour, which is not fully verified yet: * Microsoft wanted AMD to make the CPU and the chipset for the Xbox, and nVidia to make the video hardware. * When alpha hardware had already been built, Intel made a better deal * Microsoft agreed to have Intel CPUs; Intel had to modify AMD's chipset to support an Intel CPU * Intel insisted that the brand name AMD could not be associated with the Xbox, so nVidia licensed the AMD chipset. Now the Xbox chipset was by nVidia. * nVidia sold the same chipset for PCs, calling it "nForce". This is the reason why * the Xbox is the only nForce chipset with an Intel CPU * the AMD chipset and the nForce chipset are so similar Evidence: * The AMD and nForce AMD IDE controllers are fully compatible. (Linux kernel: "AMD 755/756/766/8111 and nVidia nForce/2/2s/3/3s/CK804/MCP04 IDE driver for Linux." [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/ide/pci/amd74xx.c]) * The I2C/SMBus controller on the nForce is fully AMD-756/766/68 compatible. [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/i2c/busses/i2c-amd756.c] * The audio controller is i810 compatible - as is the audio controller of the AMD-768 and the AMD-8111. * The nForce and AMD-768 modems are compatible. * At least one register ("VGA_en") in the nForce PCI-to-AGP bridge is compatible with the AMD chipset (AMD-761, 24081.pdf, page 136). * The nForce uses HyperTransport. * [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0307.3/0922.html], [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0305.html] * ''"One man's guess, the silicon is not a major factor. Because the nForce and 760 MP have a similar pin count, they are going to be cost comparable."'' [https://web.archive.org/web/20100617023830/http://overclockers.com/articles446/] {| class="wikitable" |- | | Northbridge | Southbridge |- | AMD-760 | AMD-761 | AMD-766 |- | AMD-760MP | AMD-762 | AMD-766 |- | AMD-760MPX | AMD-762 | AMD-768 |} [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_1133,00.html AMD-760™ Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_739_1130,00.html AMD-760™ MP Chipset Tech Docs] [https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_4296,00.html AMD-760™ MPX Chipset Tech Docs] <br /> The nForce chipset might be based on the AMD-760 chipset. == More Links == [https://web.archive.org/web/20100617023830/http://www.duxcw.com/digest/guides/mb_chip/nforce/print.htm] 131e8431065e76fbf2b12713dec9695548a94765 0 4046 7293 2022-09-23T18:17:29Z Agarmash 2543 Add method description wikitext text/x-wiki Allocates a range of physically contiguous, cache-aligned memory from nonpaged pool (main pool on xbox). <pre>XBSYSAPI EXPORTNUM(165) PVOID NTAPI MmAllocateContiguousMemory ( IN ULONG NumberOfBytes );</pre> [https://github.com/XboxDev/OpenXDK/blob/master/include/xboxkrnl/mm.h Source] ccba977c7d6f5b04d1995b5c638ead72e0762d54 0 3756 7294 6808 2022-10-19T20:38:41Z Doom 2542 Updates 1.4 boardscan link to a working one. wikitext text/x-wiki For a list of differences between these mainboards, also see [[Hardware Revisions]]. == Xbox 1.0 == * [https://docs.google.com/spreadsheets/d/1oT4OtE95sguxA5KZrlwC_XEF3nlpzrql1ESycBGPtDA/edit#gid=0 Some measurements of passive components by Redherring32 (The Fish)]{{FIXME|reason=Taken from https://discordapp.com/channels/428359196719972353/428359434230693899/592363537343447040}} [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] The following table is based on an Xbox 1.0{{citation needed}} retail board. {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} === USB Daughterboard === * [https://github.com/Teufelchen1/XBOX-USB-HUB Homemade PCB remake by Teufelchen] [[File:USB_Daughterboard_front.png|100px|thumb|right|Xbox Version 1.0 USB Daughterboard]] {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} == Xbox 1.1 == * [https://web.archive.org/web/20180210173816/http://diy.sickmods.net/Tutorials/Xbox1/Hi-Res_Scans/ PCB scan by SICKmods]{{FIXME|reason=Should live in some repo or something; we also have permission to this; https://discordapp.com/channels/428359196719972353/428359434230693899/561462101214756876 / https://media.discordapp.net/attachments/428359434230693899/561462101214756874/image0.png}} {{FIXME}} == Xbox 1.2 == {{FIXME}} == Xbox 1.3 == {{FIXME}} == Xbox 1.4 == * [https://drive.google.com/drive/folders/1dmMwJkFyu6Tw6SPgfJd_9oZ6wLzpNlmX PCB scan by LoveMHz]{{FIXME|reason=Should live in some repo or something}} {{FIXME}} == Xbox 1.5 == {{FIXME}} == Xbox 1.6 == * [https://web.archive.org/web/20180210173816/http://diy.sickmods.net/Tutorials/Xbox1/Hi-Res_Scans/ PCB scan by SICKmods]{{FIXME|reason=Should live in some repo or something; we also have permission to this; https://discordapp.com/channels/428359196719972353/428359434230693899/561462101214756876 / https://media.discordapp.net/attachments/428359434230693899/561462101214756874/image0.png}} {{FIXME}} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm Documentation by PiXEL8] 69e80f6bd793cdf238eb2cc57071f64eca786239 0 3 7295 6820 2022-10-21T09:40:36Z Mborgerson 2478 wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Post processing === * CEDEC2002: [https://web.archive.org/web/20031212044938/http://www.daionet.gr.jp/~masa/column/2002-09-22.html DOUBLE-S.T.E.A.L techniques] ''(Japanese)'' * GDC2003: [https://web.archive.org/web/20031212140633/http://www.daionet.gr.jp/~masa/column/2003-03-21.html Frame Buffer Postprocessing Effects in DOUBLE-S.T.E.A.L (Wreckless)] ''(English)'' === HDR rendering === * GDC2004: [https://web.archive.org/web/20060404103630/http://www.daionet.gr.jp/~masa/column/2004-04-04.html Practical Implementation of High Dynamic Range Rendering] === Deferred Shading === * https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://sites.google.com/site/richgel99/home * https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] * [https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20video%20and%20slides/DEF%20CON%2030%20-%20Tristan%20Miller%20-%20Reversing%20the%20Original%20Xbox%20Live%20Protocols.mp4 Reversing the Original Xbox Live Protocols] presented by [[User:monocasa]] at DEF CON 30 (2022) == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics == === Graphics programming === * Meltdown 2001 (Microsoft Game development conference): [https://web.archive.org/web/20060203201117/https://www.microsoft.com/mscorp/corpevents/meltdown2001/presentations.asp Presentation slides] * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * http://download.nvidia.com/developer/Third_Party/ * http://iquilezles.org/www/index.htm * https://web.archive.org/web/20150408045127/http://freespace.virgin.net/hugo.elias/ * http://www.mvps.org/directx/indexes/ * https://www.gdcvault.com/play/247/CRYSIS-Next-Gen ''(Contains some parts which are also applicable to original Xbox)'' * [https://www.valvesoftware.com/en/publications Publications by Valve Software] * http://graphics.uni-konstanz.de/publikationen/Luft2006ImageEnhancementUnsharp/Luft2006ImageEnhancementUnsharp.pdf * [https://web.archive.org/web/20090518092325/http://www.daionet.gr.jp:80/~masa/column/index.html Masa's Column (DOUBLE-S.T.E.A.L / Wrecked developer)] * [https://fgiesen.wordpress.com/ Blog by ryg] * [http://filmicworlds.com/blog/ Filmic Worlds] * [https://gpuopen.com/archive/gamescgi/cubemapgen/ AMD CubeMapGen tool for mipmapping cubemaps] 225706b3254dc20566fd96819f9ed9383443f453 0 3693 7296 6915 2022-10-21T09:43:36Z Mborgerson 2478 wikitext text/x-wiki Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft. It was first made available to the Xbox system in November 2002. ([https://en.wikipedia.org/wiki/Xbox_Live Wikipedia]) Xbox Live support for the original Xbox ended in April 15, 2010. == Architecture == The Xbox Live architecture consists of Kerberos-based authentication tickets, with a Secure Gateway used to then access services (such as Matchmaking, Statistics/Leaderboards, and custom game servers) Authentication and access to Xbox Live services is controlled using the Kerberos protocol with a few proprietary customisations for the Xbox. When an Xbox first connects, the server gives it a [[Xbox Live/Machine Account|Machine Account]] which it uses to access the service; this machine account is always sent, but it can only be used alone to access UACS (User Account Creation Service) to create a user account - with both a machine account and user account, all other services are accessible. == XDK Functions == {| class="wikitable" |+XOnline* Functions |- ! function ! description |- |XOnlineGetUsers(XONLINE_USER* XBLAccountusers, DWORD* numOfXBLiveAccounts) |The XOnlineGetUsers function will enumerate both the hard disk and any attached memory units looking for user accounts |- |XOnlineTaskClose(XONLINETASK_HANDLE logonHandle) |Called to abort the authentication process. |- |XOnlineStartup( XONLINE_STARTUP_PARAMS* ) | |- |XOnlineLogon(XONLINE_USER* XBLLoggedOnUsers, DWORD* XBLservices, DWORD SERVICE_COUNT, NULL, XONLINETASK_HANDLE &logonHandle) |When a title calls XOnlineLogon to sign in, instead of blocking until the authentication completes, an asynchronous task handle is returned. As part of the authentication process a title must specify which services it will be using (XBLservices, SERVICE_COUNT). |- |XOnlineTaskContinue(XONLINETASK_HANDLE logonHandle) |Called to check the status of XOnlineLogon. It will return XONLINETASK_S_RUNNING while the login process has not been completed. |- |XOnlineLogonTaskGetResults(XONLINETASK_HANDLE logonHandle) |Will return XONLINE_S_LOGON_CONNECTION_ESTABLISHED when the task is successfully completed. Otherwise it will return an error code. |- |XOnlineGetLogonUsers() |This returns a pointer to an array of XONLINE USER structures. This array is similar the XONLINE USER array we populated and passed into XOnlineLogon, but is updated with error status and permission flags for each user. |- |XOnlineSetUserGuestNumber(dwUserFlags , 1) | |- |XOnlineTitleUpdate(DWORD) |The XOnlineTitleUpdate function will boot into an updater application, which performs the actual update |- |XOnlineGetServiceInfo(Service, ?) |XOnlineGetServiceInfo returns the connection status for a service |- |XOnlineNotificationSetState | |} == Discontinuation of service == The service was officially discontinued on April 15th, 2010. 12 players decided to stay in a lobby of ''Halo 2'' 24/7 to keep a server running. The final player, Apache N4SIR was streaming the entire event, as the player count of 12 twindeled down to just him. At 11:40 PM PDT, on May 11th 2010, Apache N4SIR was booted from the game[http://i.imgur.com/oQw6k5H.jpg]. == See Also == * [https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20video%20and%20slides/DEF%20CON%2030%20-%20Tristan%20Miller%20-%20Reversing%20the%20Original%20Xbox%20Live%20Protocols.mp4 Reversing the Original Xbox Live Protocols] presented by [[User:monocasa]] at DEF CON 30 (2022). e29a13ed6592d45333da10e0c3fa1f3406725a16 0 4006 7299 7041 2022-12-20T20:29:00Z Useruser 2541 Add a 2 row Chihiro thanks to catawalks wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | Y | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} cbac490324a6d8ca91630d42fd5d6ee7e66333ce 7300 7299 2022-12-21T14:16:19Z Useruser 2541 Add xbox7887's DVT3 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | 0xB1 | MCP X2 | ? | "DVT3(?)" | NULL | Y | xbox7887 |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | Y | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} fa979577e9a8511785f55f6d8abfbcaf3dd01337 0 4006 7301 7300 2022-12-24T02:20:54Z Useruser 2541 Reorg protos wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | 0xA1 | MCP XMODE2 | ? | "DVT2(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | 0xB1 | MCP X2 | ? | "DVT3(?)" | NULL | Y | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | Y | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 3869c2896e1550e129a3a2da8e4174c090ec4ee3 7302 7301 2022-12-24T03:20:12Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | 0xA1 | MCP XMODE2 | ? | "DVT2(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | 0xB1 | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | 0xB1 | MCP X2 | ? | "DVT3(?)" | NULL | Y | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | Y | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 90f22c3c1c8a4d56ca653fc4ccf2bc03e43fdb53 7303 7302 2022-12-24T22:45:58Z Useruser 2541 MCPX rev isn't always the same as NV_BOOT_0 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Debug? ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | 0xB1 | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | Y | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | Y | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | Y | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | Y | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | Y | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | ? | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} b596cc70fbde6360342478708e9910d9dbd45683 7304 7303 2022-12-24T22:46:47Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | 0xB1 | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200864113402 | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 7b5a801d20684806127a9536fb79515e26d80207 7305 7304 2022-12-24T22:49:13Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} b7443ea8fe356090bd9d80d643f2bafedb7c5961 7306 7305 2022-12-24T22:56:33Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 7392385b5b5f4d726cc2dbb105c121cdcde265de 7307 7306 2022-12-24T22:58:14Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} e14db4275480c6fd5aaf0a31711bd25ba4ee0ff9 7308 7307 2022-12-24T22:59:56Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: XDK D2 |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} aa06bbaca7179be6a2eb68b9ff9d37f7f0229bdc 7309 7308 2022-12-24T23:02:55Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: XDK B2 |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 | ? | "Development Kit" | ? | SMC marking & product sticker. Also marked "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: XDK D2 |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 3b0365c852fd7b9ef3420ba38356eae9221d7d21 7310 7309 2022-12-24T23:10:13Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: XDK B2 |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: XDK B2 : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: XDK D2 |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} ff8706ef1aaa08b439ed8454f212b8b7ba044c07 7311 7310 2022-12-24T23:11:28Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: XDK B2 |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: XDK B2 : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: XDK D2 |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 52ae0e02224519ebc6cac5ede38f0a1130268896 7312 7311 2022-12-24T23:17:43Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: XDK D2 |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: XDK B2 : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: XDK B2 |- | D10 | 0xD4 | MCPX X2 | 0xA3 | ? | 600901521802 | 64MB "BetaLive" box seen here: https://www.youtube.com/watch?v=754Rhdx3sMo - xbox7887 |} 63bec7091b898bebf9f09d6a508bb6bbdeaf2935 7313 7312 2022-12-25T06:56:44Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: XDK D2 |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: XDK B2 : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: XDK B2 |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: XB-DVT2-Conf L 49 - "BetaLive" 64MB |} 851256449a3c53fa606bb07e51bab03f847bda43 7314 7313 2022-12-25T06:57:47Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: XDK D2 |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: XDK B2 : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: XDK B2 |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: XB-DVT2-Conf L 49 - "BetaLive" 64MB |} 8c27bb06d508fafcdaba7a364bfe6f38280c649c 7315 7314 2022-12-25T07:02:41Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |} f2596affeaa4218a0f3fbbf015332ef9f67cc766 7316 7315 2022-12-30T21:20:59Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 FB2202.1 0319D1 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |} 38d0a3811bc77941509b2af74b110f08cecc11ed 7317 7316 2022-12-31T12:47:54Z Useruser 2541 Add another blackshell dev wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 FB2202.1 0319D1 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B5C | ? | MCP X2 CF0532.01 0127B2 | ? | "DVT5(?)" | ? | Black shell with serial port - Sticker: "DVT5" |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |} 1850f729709d3b322d8b80edaa2c35d7de67f380 7323 7317 2023-04-15T10:39:53Z Useruser 2541 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 FB2202.1 0319D1 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B5C | ? | MCP X2 CF0532.01 0127B2 | ? | "DVT5(?)" | ? | Black shell with serial port - Sticker: "DVT5" |- | DXB | 0xB2 | MCP X2 | 0xA3 | "Debug Kit" | 200343213202 | doom |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |- | D2L | 0xD5 | ? | 0xD3 | ? | 421804232805 | gamebox_ukv - Sticker on front: "Tuscany EVT6, Config E, XM2, Slow, Fast, Fast, Fast, F-die" |} b9035b83bcbde554abc2801edbec3bb4426e0dde 7324 7323 2023-04-26T17:15:20Z Doom 2542 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 FB2202.1 0319D1 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B5C | ? | MCP X2 CF0532.01 0127B2 | ? | "DVT5(?)" | ? | Black shell with serial port - Sticker: "DVT5" |- | DXB | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200343213202 | doom - "XDK B2" - Motherboard Revision -006 (Week 31, 2001) |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" - Motherboard Revision -008 (Week 34, 2001) |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |- | D2L | 0xD5 | ? | 0xD3 | ? | 421804232805 | gamebox_ukv - Sticker on front: "Tuscany EVT6, Config E, XM2, Slow, Fast, Fast, Fast, F-die" |} befaad3209890593a4b89baeb311789f9775ccf7 7325 7324 2023-06-05T12:55:09Z Useruser 2541 doom dvt3 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 FB2202.1 0319D1 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | NULL | doom - Sticker: "Low Jittor required", GPU: NV2A G07850.1 0119A2, Case: XDK BETA 1C EUROPE CONSOLE BOX LOW JITTER REQUIRED |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B5C | ? | MCP X2 CF0532.01 0127B2 | ? | "DVT5(?)" | ? | Black shell with serial port - Sticker: "DVT5" |- | DXB | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200343213202 | doom - "XDK B2" - Motherboard Revision -006 (Week 31, 2001) |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" - Motherboard Revision -008 (Week 34, 2001) |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |- | D2L | 0xD5 | ? | 0xD3 | ? | 421804232805 | gamebox_ukv - Sticker on front: "Tuscany EVT6, Config E, XM2, Slow, Fast, Fast, Fast, F-die" |} 5d21d02ebade0f74c9db87c274592345a572ceab 7328 7325 2023-07-12T14:50:02Z Useruser 2541 more info about EVT6 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 FB2202.1 0319D1 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "DVT2(?)" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT3(?)" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | NULL | doom - Sticker: "Low Jittor required", GPU: NV2A G07850.1 0119A2, Case: XDK BETA 1C EUROPE CONSOLE BOX LOW JITTER REQUIRED |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3(?)" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B5C | ? | MCP X2 CF0532.01 0127B2 | ? | "DVT5(?)" | ? | Black shell with serial port - Sticker: "DVT5" |- | DXB | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200343213202 | doom - "XDK B2" - Motherboard Revision -006 (Week 31, 2001) |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" - Motherboard Revision -008 (Week 34, 2001) |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |- | D2L | 0xD5 | MCPX X2 FA8603.11C 0316D3 | 0xD3 | ? | 421804232805 | gamebox_ukv - Sticker on front: "Tuscany EVT6, Config E, XM2, Slow, Fast, Fast, Fast, F-die", MCPX is also marked "ENG SAMPLES" |} 747acf73eec9105a22308c68d0ed16bb85e40021 7337 7328 2023-10-16T15:29:29Z Doom 2542 wikitext text/x-wiki Would be nice to have "Prototype" versions of those as well as later models, need more models of "Debug Kits". '''Retail''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | P01 | 0xB2 | MCPX X3 F45818.1 0142B2 | 0xA3 | "1.0" | 409872520802 | Andy |- | P05 | 0xD4 | MCPX X3 | 0xA3 | "1.1" | 420466624702 | |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.2" | 205742131205 | catawalks |- | P11 | 0xD4 | MCPX X3 FB2202.1 0319D1 | 0xA3 | "1.3" | 610282232705 | cato |- | P11 | 0xD4 | MCPX X3 | 0xA3 | "1.4" | 115526133005 | Ryzee119 |- | P2L | 0xD5 | MCPX X3 FF3372.1 0410D3 | 0xD3 | "1.6" | 419690643505 | dracc |} '''Debug''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D01 | 0xB2 | MCPX X2 | 0xA3 | "Debug Kit - 1.0" | 600370522902 | DarkGabbz |- | ? | ? | ? | ? | "Debug Kit - 1.1" | ? | |- | B11 | 0xD4 | MCPX X2 FC1389.1 0345D1 | 0xA3 | "Debug Kit - 1.2" | 603747143905 | xbox7887 |} '''Chihiro''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PMC_BOOT_0 ! Assumed Model ! SN# ! Notes |- | D05 | 0xD4 | MCPX X2 FA0444.C1 0224D1 | 0xA3 | "Chihiro - Single row connector" | 346301512362 | Andy - Sticker: "Arcade" |- | B11 | 0xD4 | MCPX X2 FA1864.1 0345D1 | 0xA3 | "Chihiro - Dual row connector" | 470204035125 | catawalks |} '''Prototypes and pre-launch date boxes''' {| class="wikitable" |- ! SMC Revision ! MCP PCI Revision ! Marked MCP Revision ! NV_PCM_BOOT_0 ! Assumed Model ! SN# ! Notes |- | A1E | ? | MCP XMODE2 | ? | "EVT / DVT1" | ? | Random poster on AG did a drive by and posted pictures of a box with 64MB of RAM. SMC rev is assumed based on writing on the SMC. 'A1' marking on MCP, coin-cell battery. |- | B1C | ? | MCP XMODE2 C63860.02 0115B1 | ? | "DVT2" | ? | (Rare) black DVT3 shell with presumably 'early' DVT3 BETA-1C internals: https://twitter.com/DerfJagged/status/1378711268408836097 |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3(?)" | ? | Syclopse posted this Xbox on AG, it contains 128MB RAM. |- | B2A | ? | MCP XMODE2 C63861.01 0117B1 | ? | "DVT3" | NULL | doom - Sticker: "Low Jittor required", GPU: NV2A G07850.1 0119A2, Case: XDK BETA 1C EUROPE CONSOLE BOX LOW JITTER REQUIRED |- | B2A | ? | MCP X2 C63905.00 0119B1 | ? | "DVT3" | NULL | xbox7887 - Sticker: "XDK BETA 1C NA" |- | B2A | ? | MCP X2 | ? | "DVT3(?)" | ? | Found on some random Denmark website : https://www.playright.dk/rare/titel/xbox-development-kit/xbx |- | B5C | ? | MCP X2 CF0532.01 0127B2 | ? | "DVT5(?)" | ? | Black shell with serial port - Sticker: "DVT5" |- | DXB | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200343213202 | doom - "XDK B2" - Motherboard Revision -006 (Week 31, 2001) |- | DXB | 0xB2 | ? | 0xA3 | "Development Kit" | NULL | doom |- | DXF | 0xB2 | MCP X2 CF0532.01 0126B2 | 0xA3 | "Debug Kit" | 200864113402 | cato - Sticker: "XDK D2" - Motherboard Revision -008 (Week 34, 2001) |- | DXF | ? | MCP X2 CF0532.01 0127B2 | ? | "Development Kit" | ? | Sticker: "XDK B2" : https://www.youtube.com/watch?v=YUe_6ys5-kA |- | DXB | 0xB2 | MCPX X2 CF0532.0C 0128B2 | 0xA3 | "Debug Kit" | 200431413302 | catawalks - Sticker: "XDK B2" |- | D10 | 0xD4 | MCPX X2 FA0444.2B 0210D1 | 0xA3 | ? | 600901521802 | xbox7887 - Sticker: "XB-DVT2-Conf L 49" : Claimed beta Xbox Live box, 64MB |- | D2L | 0xD5 | MCPX X2 FA8603.11C 0316D3 | 0xD3 | ? | 421804232805 | gamebox_ukv - Sticker on front: "Tuscany EVT6, Config E, XM2, Slow, Fast, Fast, Fast, F-die", MCPX is also marked "ENG SAMPLES" |} 29162f038b9732caf24021ca487994b231772e4d 0 4045 7318 7278 2023-01-07T00:03:05Z Ryzee119 2519 /* Videochat - Xbox Cam */ wikitext text/x-wiki == Videochat - Xbox Cam == Videochat was released June 2004 in Japan and is a Xbox live enabled/required video chat program with a camera called "Xbox cam" that allowed users to voice and video chat with fellow Xbox videochat users. an active live subscription apear to be required. up to 5 users can videochat with eachother. "The package includes a camera, a 12-month subscription to Xbox Live, an Xbox Live Voice Communicator, Video Chat Disk with software needed to make it all work, and an Xbox Live Starter Kit Disk. The Xbox Video Chat provides for voice alteration and comes with 40 preinstalled background music tracks. It includes a function to turn the TV screen into a mirror temporarily, so players can groom themselves before joining a conversation." [http://theinspirationroom.com/daily/2005/xbox-video-chat/ The Inspiration Room - Xbox Live Video Chat in Japan] * Dvd mediaset number: X10-98754 * Xbox cam: X10-71835 === USB Descriptor === <pre> Bus 003 Device 003: ID 045e:028c Microsoft Corp. Xbox Video Camera Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x028c bcdDevice 1.00 iManufacturer 1 Microsoft iProduct 2 Xbox Video Camera iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0059 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 1 Transfer Type Isochronous Synch Type None Usage Type Data wMaxPacketSize 0x0000 1x 0 bytes bInterval 1 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 1 bNumEndpoints 1 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 1 Transfer Type Isochronous Synch Type None Usage Type Data wMaxPacketSize 0x0180 1x 384 bytes bInterval 1 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 2 bNumEndpoints 1 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 1 Transfer Type Isochronous Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 1 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 3 bNumEndpoints 1 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 1 Transfer Type Isochronous Synch Type None Usage Type Data wMaxPacketSize 0x0300 1x 768 bytes bInterval 1 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 4 bNumEndpoints 1 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 1 Transfer Type Isochronous Synch Type None Usage Type Data wMaxPacketSize 0x0380 1x 896 bytes bInterval 1 Device Status: 0x0000 (Bus Powered) </pre> === Sources === *[https://imgur.com/a/zbCzl Borman ptoponline.com photos, he forgot he took the pictures] *[http://www.eurogamer.net/articles/ss_videochat_x eurogamer photos] *[https://www.youtube.com/watch?v=__6hxTzc8YY Videochat trailer on Xbox-Ism Disk2 TGS 2004] == Notes == * http://euc.jp/periphs/xbox-controller.en.html 038f0a3d51e917771689ea42f5a53212b2631ccd 0 3703 7319 6936 2023-01-10T21:29:53Z Mborgerson 2478 Update xemu repo link wikitext text/x-wiki This is a list of known Xbox emulation projects {| class="wikitable sortable" !Status !Approach !Chihiro !Name !Links !Initiator !Platform !License !Notes |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[XQEMU]] |[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu] |espes |Windows/macOS/Linux/Others | |XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM. |- |{{Yes|Maintained}} |LLE |{{Yes}} |[[Xemu|xemu]] |[https://xemu.app/][https://github.com/xemu-project/xemu] |mborgerson |Windows/macOS/Linux | |xemu is a fork of XQEMU but more usable |- |{{Yes|Maintained}} |HLE/LLE Hybrid |{{No}} |[[Cxbx-Reloaded]] |[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded] |SoullessSentinel |Windows | |Cxbx-Reloaded supports LLE GPU emulation which was taken from XQEMU. At the time of writing, the LLE GPU is significantly slower than in XQEMU. |- |{{Yes|Maintained}} |LLE |{{Yes}} |[http://mamedev.org/ MAME] |[http://adb.arcadeitalia.net/?mame=xbox][http://adb.arcadeitalia.net/?mame=chihiro][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Xbox][http://emulation.gametechwiki.com/index.php/MAME_compatibility_list#Chihiro_Arcade] |[https://github.com/mamedev/mame/commits?author=yz70s yz70s] (Samuele Zannoli) and MAME Team |Windows/macOS/Linux/Others | |Focus seems to be on Chihiro emulation. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[[Fusion]][http://michaelbrundage.com/project/xbox-360-emulator/] | |Microsoft |Xbox 360 |Proprietary | |- |{{Yes|Maintained}} |LLE/HLE Hybrid{{citation needed}} |{{No}} |[[Fission]][http://www.ign.com/articles/2017/10/23/the-untold-story-of-xbox-one-backwards-compatibility] |[http://www.xbox.com/en-US/xbox-one/backward-compatibility] |Microsoft |Xbox One |Proprietary |Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/]. | |- |{{No|Dead}} |LLE |{{No}} |Tortoise |[https://gitlab.com/kvmbox-reloaded/] |JayFoxRox, phire | | |The decision was made to create an HLE / LLE Xbox emulation project which is maintained similar to Dolphin or Citra. A key focus was on design simplicity. The project started as a continuation of kvmbox, with devices being copied from the XQEMU source code. The project was called kvmbox-reloaded, while the name was being decided. The HLE portion was never worked on. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |OpenXBOX |[https://github.com/mborgerson/OpenXBOX] |mborgerson | | | |- |{{No|Dead}} |HLE/LLE Hybrid |{{No}} |xexec | |[http://xboxdevwiki.net/User:Haxar Haxar] |Linux | |Xexec is an Xbox executable loader & emulator for x86/x64 Linux; handles direct execution of x86 code, executing Xbox game code directly on the CPU, in userspace Linux; All Windows kernel calls from Xbox game code are translated into POSIX syscalls, with no dependency on Wine. |- |{{No|Dead}} |LLE/HLE Hybrid |{{No}} |[https://github.com/blueshogun96/MacBox MacBox] |[http://shogun3d-cxbx.blogspot.com/2017/01/the-macos-experiment-part-1.html][http://shogun3d-cxbx.blogspot.com/2017/01/around-beginning-of-new-year-i.html] |blueshogun96 |macOS | |"The macOS Experiment" - An experimental VM for Macs that don't have support for the official VM framework. A simple proof of concept. |- |{{Yes|Maintained}} |LLE/HLE Hybrid |{{No}} |StrikeBox |[https://github.com/StrikerX3/StrikeBox] |StrikerX3 |Windows/Linux | |A fork of OpenXBOX, which was turned into a separate project. |- |{{No|Dead}} |HLE |{{No}} |[[Cxbx]] | |Caustik |Windows | | |- |{{No|Dead}} |HLE |{{No}} |Dxbx |[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/] |ShadowTj |Windows | |The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language. |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/impeachgod/Dirtbox Dirtbox] | | |Windows | | |- |{{Unknown}} |HLE |{{No}} |[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel] | |daeken |Unknown | |This seems to have been a generic portability framework |- |{{Unknown}} |HLE |{{No}} |[https://github.com/daeken/Steelbreeze Steelbreeze] | |daeken |Unknown | | |- |{{Unknown}} |LLE/HLE Hybrid |{{No}} |[https://github.com/daeken/Zookeeper Zookeeper] |[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/] |daeken |macOS | |Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.154342/ XbeNext] |[https://github.com/LoveMHz/XBENext] |LoveMHz |Windows | | |- |{{No|Dead}} |HLE |{{No}} |[http://ngemu.com/forums/.65/ Xeon] | |_SF_ |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[http://ngemu.com/threads/.105210/ XProject] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://code.google.com/p/xbem xbem] | | |Windows | | |- |{{No|Dead}} |LLE/HLE Hybrid |{{Yes}} |Hackbox | |JayFoxRox |Windows/Linux |Private |This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection. |- |{{Unknown}} |LLE |{{No}} |[https://github.com/phire/kvmbox kvmbox] | |phire |Linux | | |- |{{Unknown}} |HLE |{{No}} |[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/bjh83/boombox boombox] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/docbrown/vxb vxb] | | |Windows | | |- |{{Unknown}} |Unknown |{{No}} |[https://github.com/quantumdude836/exciplex exciplex] | | |Windows | | |- |{{No|Dead}} |LLE |{{No}} |[https://github.com/monocasa/xbvm XBVM] | |monocasa |Linux | | |- |{{No|Dead}} | |{{No}} |[http://xenoborg-emu.blogspot.com/ Xenoborg] | |blueshogun96 |Windows | | |} == References and links == * [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]] 4babe84d55e0bbe5e35ddee8f45c4d2be02afb73 0 11 7320 6943 2023-01-27T22:14:49Z Benryves 2548 /* bType = 1: Xbox Gamecontroller */ Added bSubType value for light guns wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ** 0x50 = Light gun ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType: ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 ====== Example XID reports ====== This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) bMaxOutputReportSize 0x00 (0 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Microphones == === Xbox Communicator === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x002d bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> === Xbox Karaoke === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0501 bcdDevice 1.00 iManufacturer 1 Licensed 3PP Vendor iProduct 2 Karaoke Microphone Module iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x001b bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 121 bInterfaceSubClass 1 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0060 1x 96 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 686a68a9f93136ae74cc770658ed61ea4cf9be1f 7321 7320 2023-01-27T22:59:58Z Benryves 2548 /* Light guns */ Added notes on standard Xbox light gun input/output reports wikitext text/x-wiki == XID Overview == XIDs are USB devices. The hardware side is USB with a different plug while the software side is USB without HID-descriptors. Technicly a XID is a USB-hub for the Memory-Units and the XBL Communicator. The logical XID gamepad USB device is internally connected to that hub. === USB Adapters === The Xbox's Input devices are USB devices. As such, you can connect a keyboard to the Xbox, or a gamepad to your PC. In fact, Linux already has drivers for the gamepad. In order to preserve Xbox hardware, please do not cut OEM Xbox cables to make an adapter; decent adapters can be acquired cheaply (~$10 USD ea. on 2017.04.30). [[File:Xboxmaletousbfemale.png|thumb|right|Wiring diagram to show how male Xbox controller plug maps to standard female USB connector. White cable color is depicted as gray for better visibility. The yellow cable is not connected to the USB side, as it's exclusive to Xbox.]] {| class="wikitable" |- ! Port (From) ! Plug (To) ! Link |- | Xbox | USB-A | [https://www.amazon.com/gp/product/B000RT2868 Amazon] [https://www.aliexpress.com/item/32948906701.html Aliexpress] |- | USB-A | Xbox | [https://www.amazon.com/gp/product/B00F52LQHO Amazon] [https://www.aliexpress.com/item/4000452932782.html Aliexpress] |} === Wiring === Untested / unverified! Take this with a grain of salt. {| class="wikitable" !Pin !Typical cable color !Description |- |1 |Red |VCC |- |2 |White |USB D+ |- |3 |Green |USB D- |- |4 |Yellow |VBlank signal from video output (for Lightguns) |- |5 |Black |GND |- |} === Protocol === XID are similar to HID but have custom Vendor requests ==== Control Transfers ==== ===== GET_DESCRIPTOR ===== * bmRequestType: 0xC1 * bRequest: 6 * wValue: 0x4200 * wIndex: Interface number * wLength: <length of respective report; typically 16> Actual length is truncated to size of descriptor or wLength. Whichever is smaller. <pre> typedef struct XIDDescriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdXid; uint8_t bType; uint8_t bSubType; uint8_t bMaxInputReportSize; uint8_t bMaxOutputReportSize; uint16_t wAlternateProductIds[4]; }; </pre> bDescriptorType is probably always 0x42. ====== bType = 1: Xbox Gamecontroller ====== * bSubType: ** 0x01 = Gamepad (Duke) ** 0x02 = Gamepad (Controller-S) ** 0x10 = Steering wheel ** 0x20 = Arcade Stick ** 0x50 = Light gun ====== bType = 3: Xbox DVD Movie Playback IR Dongle====== * bSubType: ** 0x00 ====== bType = 128: Steel Battalion ====== * bSubType: ** 0x01 ====== Example XID reports ====== This is an example XID descriptor taken from a Controller-S (VID 0x045E / PID 0x0289). <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x01 bSubType 0x02 bMaxInputReportSize 0x14 (20 bytes) bMaxOutputReportSize 0x06 (6 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from a Steel Battalion controller. <pre> bLength 0x10 (16 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x80 bSubType 0x01 bMaxInputReportSize 0x1A (26 bytes) bMaxOutputReportSize 0x16 (22 bytes) wAlternateProductIds 4 x 0xFFFF </pre> This is an example XID descriptor taken from an official Microsoft DVD Movie Playback IR dongle. <pre> bLength 0x08 (8 bytes) bDescriptorType 0x42 bcdXid 0x0100 (USB 1.0) bType 0x03 bSubType 0x00 bMaxInputReportSize 0x06 (6 bytes) bMaxOutputReportSize 0x00 (0 bytes) </pre> ===== GET_CAPABILITIES ===== * bmRequestType: 0xC1 * bRequest: 1 * wValue: ** 0x0100 for input ** 0x0200 for output * wIndex: Interface number * wLength: <length of respective report> * STALL if wValue not supported. Actual length is truncated to size of report or wLength. Whichever is smaller. <pre>typedef struct XIDGamepadCapabilities { uint8_t bReportId; uint8_t bLength; <Data> }</pre> The data will be similar to the GET_REPORT, but instead of storing actual values, it will have bits set (1) where the bit is valid in the respective report. If the bit is auto-generated, it will be cleared (0). ===== SET_REPORT ===== * bmRequestType: 0x21 * bRequest: 9 * wValue: 0x0200 * wIndex: Interface number * wLength: <length of report; typically 6> * STALL if wValue not supported. ====== Typical report ====== <pre>typedef struct XIDGamepadReport { uint8_t bReportId; uint8_t bLength; <Data> }</pre> ===== GET_REPORT ===== * bmRequestType: 0xA1 * bRequest: 1 * wValue: 0x0100 * wIndex: Interface number * wLength: <length of report; typically 20> * STALL if wValue not supported or if wLength is greater than report size. * ACK if supported. ====== Typical report ====== <pre>typedef struct XIDGamepadOutputReport { uint8_t report_id; //FIXME: is this correct? uint8_t length; <Data> }</pre> ==== Interrupt transfers ==== Alternatively interrupt-in and interrupt-out transfers can be used for GET_REPORT and SET_REPORT respectively. In case of the interrupt-in, there is another status which can occur now: * NAK if supported but no changes since last ACK. == Standard Gamepads == === Microsoft Hardware Variants === There are a few hardware re-designs of the Microsoft Gamepad. {| class="wikitable" !Controller Name !Part Number !Board Model !Notes !Datasheets |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819B |Earliest known model{{FIXME|Reason=Small sample size (5), can't confirm}}. 3 IC's: Dedicated ST 92163/JFL Micro Controller, dedicated AT43USB401 USB Controller, 4 Channel Analog Mux LW052A. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |K023B121 |Same as 23-0819B, but manufactured in China. Only Board Model that does not follow naming conventions. Hardware identical. Easily identified by a serial number that starts with "KD". |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (AKA "Duke") |X08-17160 |23-0819C |Last known Duke model.{{FIXME|Reason=Small sample size (5), can't confirm}}. Identical to 23-0819B in hardware, new silkscreen markings show this model is [https://en.wikipedia.org/wiki/UL_94 UL-94 V-0 compliant]. All boards after this are V-0 compliant. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Game Controller (Looks like an S, with green Xbox jewel) |X08-19383 |23-0923A |Japan and Australia exclusive model{{FIXME|Reason=Speculation, no hard source for this}}.Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design. |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923B |Minification of "Duke" PCB Design. Has exact same IC's as the Duke, only in an S controller design |[https://archive.org/details/ST92163 ST 92163/JFL], AT43USB401{{FIXME|Reason=Can't find datasheet}}, [https://web.archive.org/web/20191230174412/https://www.rockbox.org/wiki/pub/Main/DataSheets/TexasInstrumentsLW052ADataSheet.pdf LW052A] |- |Xbox Controller S |X08-69873 |23-0923H |Entirely new PCB design. Single IC on the board, AT43USB355M-AC |[https://archive.org/details/AT43USB355 AT43USB355M-AC] |- |Xbox Controller S |X08-69873 |23-0923I |PCB Design almost exactly the same as H revision. Only difference is the IC is smaller: AT43USB353M-AC |[https://archive.org/details/AT43USB353M-AC AT43USB353M-AC] |} There are also dedicated Part Numbers for color variants: {| class="wikitable" !Controller Part Number !Controller Description !Board Model |- |X02332-001 |Crystal S Controller |23-0923I |- |X09-64240-01 |Transparent Green Controller |23-0923I |- |X800679-100 |Black S With Halo Jewel |23-0923I |} === USB Descriptors === See https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp for a list of devices. ==== 23-0819B ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0202 Xbox Controller bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> ==== K023B121 ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0819C ==== Identical to 23-0819B {{FIXME|Reason=Confirm with xid-dumper tool}} ==== 23-0923A ==== Changes from 23-0819B <pre> Device Descriptor: idProduct: 0x0285 </pre> ==== 23-0923B ==== {{FIXME|Reason=No Descriptor Dump}} ==== 23-0923H ==== Changes from 23-0819B <pre> Device Descriptor bMaxPacketSize0: 8 idProduct: 0x0289 bcdDevice: 1.20 Configuration Descriptor Interface Descriptor Endpoint Descriptor bEndpointAddress: 0x81 </pre> ==== 23-0923I ==== Changes from 23-0923H <pre> Device Descriptor bcdDevice: 1.21 </pre> === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |{{input-ls}} |2 |0x40 | |- |{{input-rs}} |2 |0x80 | |- |{{input-a}} |4 |0xFF |Button is analog |- |{{input-b}} |5 |0xFF |Button is analog |- |{{input-x}} |6 |0xFF |Button is analog |- |{{input-y}} |7 |0xFF |Button is analog |- |{{input-black}} |8 |0xFF |Button is analog |- |{{input-white}} |9 |0xFF |Button is analog |- |{{input-lt}} |10 |0xFF |Trigger is analog |- |{{input-rt}} |11 |0xFF |Trigger is analog |- |{{input-lx}} |12 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ly}} |14 |0xFFFF |Negative = Down; Positive = Up |- |{{input-rx}} |16 |0xFFFF |Negative = Left; Positive = Right |- |{{input-ry}} |18 |0xFFFF |Negative = Down; Positive = Up |} === Xbox to Controller === 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Left actuator strength |2 |0xFFFF | |- |Right actuator strength |4 |0xFFFF | |} The Microsoft Controller S will not react to packets which don't have a value of 6 in the <code>length</code> field of the header. The Fanatec Speedster 3 ForceShock will still react to those. Further testing is necessary with other gamepads. == Steering wheels == === MadCatz Wheel === {{FIXME}} === Fanatec Speedster 3 ForceShock === ==== Pedals ==== The Pedals are ''not'' a USB device. Note that the cable going to the pedals is also ''not'' a USB port despite using the Xbox controller breakaway plug. Likewise, plugging the pedals to a PC / Xbox won't provide a USB / XID (it is detected as garbage): <pre> new full-speed USB device number 14 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 15 using xhci_hcd device descriptor read/64, error -71 device descriptor read/64, error -71 new full-speed USB device number 16 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 16, error -71 new full-speed USB device number 17 using xhci_hcd Device not responding to setup address. Device not responding to setup address. device not accepting address 17, error -71 unable to enumerate USB device </pre> ==== Internal HUB ==== ===== USB Descriptors ===== Power not connected, pedals not connected, not in Tuning mode: <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0102 bcdDevice 0.01 iManufacturer 0 iProduct 1 End iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 50 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0xff Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0000.0100 power can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0003 Self Powered Remote Wakeup Enabled </pre> ==== Steering wheel (and Pedals) ==== Always connected to port 1 of the internal HUB ===== USB Descriptors ===== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x3767 idProduct 0x0101 bcdDevice 2.80 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> == Arcade Sticks == === Xbox TECMO Dead or Alive 3 ARCADE Stick Joystick Controller Japan === {{FIXME}} === Street Fighter 15th Anniversary Edition Arcade Stick === {{FIXME}} === Gamester Xbox Arcade Stick === {{FIXME}} === Nuby Xbox Fighter Arcade Stick === {{FIXME}} === Nuby Xbox Arcade Super Stick === {{FIXME}} The source image of the box and on device has item<nowiki>#:</nowiki>36020. === Naki Ultimate Fighting Stick === {{FIXME}} [https://www.youtube.com/watch?v=4GphUsTzgds YouTube reviewer] report this joystick to have rumble support. == Light guns == Light guns use similar input and output reports to standard gamepads. Their bSubType is set to 0x50. They report where they are aimed in place of the left stick coordinates, and an extra bit at offset 3 in their input reports flags whether the light gun is currently pointed at the screen or not. Light guns may not function properly if they are not supplied with a video sync signal (they may not populate their input reports correctly, or even fail to enumerate as USB devices entirely). === Controller to Xbox === 20 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |{{input-dy+}} |2 |0x01 | |- |{{input-dy-}} |2 |0x02 | |- |{{input-dx-}} |2 |0x04 | |- |{{input-dx+}} |2 |0x08 | |- |{{input-start}} |2 |0x10 | |- |{{input-back}} |2 |0x20 | |- |Light visible |3 |0x20 |Set to 1 if the gun is pointed to a bright screen, 0 if no light visible. |- |Unknown 1 |3 |0x40 |rowspan="2" | Light guns from different manufacturers include these two bits in their GET_CAPABILITIES reports, but they always seem to read back as 0 in GET_REPORT. |- |Unknown 2 |3 |0x80 |- |{{input-a}} Trigger |4 |0xFF |rowspan="6" | Digital only, either 0 or 255 |- |{{input-b}} |5 |0xFF |- |{{input-x}} |6 |0xFF |- |{{input-y}} |7 |0xFF |- |{{input-black}} |8 |0xFF |- |{{input-white}} |9 |0xFF |- |{{input-lx}} |12 |0xFFFF |rowspan="2" | Absolute position using the full stick range. (0, 0) is the center of the screen and is also reported if the light gun is pointed off-screen. |- |{{input-ly}} |14 |0xFFFF |} === Xbox to Controller === ==== Force feedback: wValue: 0x0200, wLength: 6 ==== 6 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Actuator strength |2 |0xFFFF | |- |(Unused) |4 |0x0000 | |} The 4Gamers-branded gun (which appears to be sold by a number of different manufacturers) only reports it has the left actuator, however it only responds to force feedback output reports for the ''right'' actuator. Games appear to always enable both actuators, whether the controller reports it has both or not. ==== Calibration: wValue: 0x0201, wLength: 10 ==== 10 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Center calibration X |2 |0xFFFF |rowspan="2"|Gun's reported value subtracted from (0,0) |- |Center calibration Y |4 |0xFFFF |- |Top left calibration X |6 |0xFFFF |rowspan="2"|Gun's reported value subtracted from (-25000,25000) |- |Top left calibration Y |8 |0xFFFF |} Light guns are expected to handle their own calibration, i.e. the game will tell the gun the offsets between its reported position and the expected position and then expect the gun to offset and scale its output to compensate. The calibration process runs as follows: # The game will first send a calibration report with all four offsets reset to (0, 0), (0, 0) to reset any offsets and scaling. # The game will now display a target in the centre of the screen and ask you to shoot it. This will tell it how "wrong" the gun is when aimed at where it thinks (0, 0) should be on the screen. If the gun normally shoots slightly too high and further to the right, it might report (1000, 3000) for example. # The game sends a calibration report to the gun to negate the offset, e.g. (-1000, -3000), (0, 0) using our example of (1000, 3000) from before. # The game will now display a target in at (-25000, 25000) on the screen and ask you to shoot it. This will tell it how "wrong" the gun is when aimed at the top left of the screen. # The coordinates received from the gun will be subtracted from the expected (-25000, 25000) and sent back to the gun in the second part of the calibration report along with the values previously determined for the centre position. If the first calibration was enough to adjust the screen offset we might have seen the "perfect" coordinates of (-25000, 25000) in which case the report would be (-1000, -3000), (0, 0) again. However, if our gun read the coordinates slightly closer the the middle of the screen at (-20000, 22000) then the report would be (-1000, -3000), (5000, -3000). If the light gun does not handle the calibration output report then you will not be able to get past the calibration screen in ''The House of the Dead III''. === EMS TopGun II === ''This is an unlicensed / unofficial Xbox accessory.'' The website for this product can be found at http://www.hkems.com/product/xbox/EMSTopGun2.htm The gun presents itself as a standard Xbox gamepad. It uses a different USB descriptor for Xbox (X) and the other mode (P). There is no internal hub in this device. {| class="wikitable" ! EMS TopGun II !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="4" | Digital only, either 0 or 255 |- | Grip || {{input-b}} |- | A || {{input-x}} |- | B || {{input-y}} |- | START || {{input-start}} || |- | SE/BA || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || rowspan="2" | Absolute position using the full stick range |- | Aim Up / Down || {{input-ly}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons (All of those read constant zeros). ===== Turbo Mode ===== * Turbo mode 0 keeps {{input-a}} pressed while trigger is held * Turbo mode 1 toggles {{input-a}} rapidly while trigger is held * Turbo mode 2 toggles {{input-a}} rapidly and once in a while {{input-b}} while trigger is held ===== Force Feedback ===== The upper part of the gun is moveable and should push back to simulate recoil (possibly hurting your thumb while you are using the stick). I could not get the force feedback working, but I'm sure I've had it working in the past on PC.{{citation needed}} ==== USB Descriptors ==== This is the descriptor in the Xbox mode (X). <pre> Bus 003 Device 016: ID 0b9a:016b Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b9a idProduct 0x016b bcdDevice 4.57 iManufacturer 1 EMS̖E iProduct 2 EMS TopGun iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) </pre> === Joytech Sharp Shooter === ''This is an unlicensed / unofficial Xbox accessory.'' The third party light gun from Joytech reports itself as 2 devices and mentions pattent [http://www.google.com/patents/US6287198 US6287198] it came with a detachable viewfinder scope without any magnification. a red dot apears in the viewfinder, its a reflection of a red led, powered by the gun over usb. model numer: JS-901D {| class="wikitable" ! Joytech Sharp Shooter !! Xbox Gamepad !! Notes |- | Stick || {{input-d}} || |- | Trigger || {{input-a}} || rowspan="6" | Digital only, either 0 or 255 {{citation needed}} |- | B (Left side) || rowspan="3" | {{input-b}} |- | B (Right side) |- | B (Magazine button) |- | x || {{input-x}} |- | y || {{input-y}} |- | START || {{input-start}} || |- | BACK || {{input-back}} || |- | Aim Left / Right || {{input-lx}} || {{citation needed}} |- | Aim Up / Down || {{input-ly}} || {{citation needed}} |} There is no right thumbstick, thumbstick presses, black/white button or trigger buttons {{citation needed}} ===== Fire/Reload Mode ===== * Normal mode does nothing, normal operation * Auto reload mode toggles {{input-b}} rapidly to rappidly reload {{citation needed}} * Auto fire+reload mode toggles {{input-a}} + {{input-b}} rapidly {{citation needed}} ==== USB Descriptors ==== <pre> Bus 003 Device 025: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 1 (error) bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 2 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Bus 003 Device 024: ID 1292:3006 Innomedia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x1292 Innomedia idProduct 0x3006 bcdDevice 1.50 iManufacturer 1 (c) 2004 R0R3 Inc. iProduct 2 US Patent 6,287,198 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 4 (c) R0R3 Devices Inc. US Patent 6,287,19Ē bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 64mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 5 (error) Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 255 Hub Descriptor: bLength 9 bDescriptorType 41 nNbrPorts 3 wHubCharacteristic 0x000d Per-port power switching Compound device Per-port overcurrent protection bPwrOn2PwrGood 32 * 2 milli seconds bHubContrCurrent 64 milli Ampere DeviceRemovable 0x02 PortPwrCtrlMask 0x0e Hub Port Status: Port 1: 0000.0103 power enable connect Port 2: 0000.0100 power Port 3: 0100.0100 power Device Status: 0x0000 (Bus Powered) </pre> == Microphones == === Xbox Communicator === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0283 Xbox Communicator bcdDevice 1.58 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x002d bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 120 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0030 1x 48 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> === Xbox Karaoke === ==== USB Descriptor ==== <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x0501 bcdDevice 1.00 iManufacturer 1 Licensed 3PP Vendor iProduct 2 Karaoke Microphone Module iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x001b bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 121 bInterfaceSubClass 1 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 9 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0060 1x 96 bytes bInterval 1 bRefresh 0 bSynchAddress 0 </pre> == Steel Battalion Controller == [[File:SBC.jpg|thumb|200px|Steel Battalion Controller Layout]] === USB Descriptors === <pre> Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0a7b idProduct 0xd000 bcdDevice 1.00 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 4 </pre> === Controller to Xbox === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 26 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |RightJoyMainWeapon |2 |0x01 | |- |RightJoyFire |2 |0x02 | |- |RightJoyLockOn |2 |0x04 | |- |Eject |2 |0x08 | |- |CockpitHatch |2 |0x10 | |- |Ignition |2 |0x20 | |- |Start |2 |0x40 | |- |MultiMonOpenClose |2 |0x80 | |- |MultiMonMapZoomInOut |3 |0x01 | |- |MultiMonModeSelect |3 |0x02 | |- |MultiMonSubMonitor |3 |0x04 | |- |MainMonZoomIn |3 |0x08 | |- |MainMonZoomOut |3 |0x10 | |- |FunctionFSS |3 |0x20 | |- |FunctionManipulator |3 |0x40 | |- |FunctionLineColorChange |3 |0x80 | |- |Washing |4 |0x01 | |- |Extinguisher |4 |0x02 | |- |Chaff |4 |0x04 | |- |FunctionTankDetach |4 |0x08 | |- |FunctionOverride |4 |0x10 | |- |FunctionNightScope |4 |0x20 | |- |FunctionF1 |4 |0x40 | |- |FunctionF2 |4 |0x80 | |- |FunctionF3 |5 |0x01 | |- |WeaponConMain |5 |0x02 | |- |WeaponConSub |5 |0x04 | |- |WeaponConMagazine |5 |0x08 | |- |Comm1 |5 |0x10 | |- |Comm2 |5 |0x20 | |- |Comm3 |5 |0x40 | |- |Comm4 |5 |0x80 | |- |Comm5 |6 |0x01 | |- |LeftJoySightChange |6 |0x02 | |- |ToggleFilterControl |6 |0x04 | |- |ToggleOxygenSupply |6 |0x08 | |- |ToggleFuelFlowRate |6 |0x10 | |- |ToggleBuffreMaterial |6 |0x20 | |- |ToggleVTLocation |6 |0x40 | |- | |6 |0x80 | |- | |7 |0xFF | |- | |8 |0xFF | |- |AimingX |9 |0xFF, maybe 0xFFFF at offset 8? |"Aiming Lever" joystick on the right. X Axis value. |- |AimingY |11 |0xFF, maybe 0xFFFF at offset 10? |"Aiming Lever" joystick on the right. Y Axis value. |- |RotationLever |13 |0xFF, maybe 0xFFFF at offset 12? |"Rotation Lever" joystick on the left. |- |SightChangeX |15 |0xFF, maybe 0xFFFF at offset 14? |"Sight Change" analog stick on the "Rotation Lever" joystick. X Axis value. |- |SightChangeY |17 |0xFF, maybe 0xFFFF at offset 16? |"Sight Change" analog stick on the "Rotation Lever" joystick. Y Axis value. |- |LeftPedal |19 |0xFF, maybe 0xFFFF at offset 18? | |- |MiddlePedal |21 |0xFF, maybe 0xFFFF at offset 20? | |- |RightPedal |23 |0xFF, maybe 0xFFFF at offset 22? | |- |TunerDial |24 |0x0F |The 9 o'clock postion is 0, and the 6 o'clock position is 12. The blank area between the 6 and 9 o'clock positions is 13, 14, and 15 clockwise. |- | |24 |0xF0 | |- |GearLever |25 |0xFF |The gear lever on the left block. |} === Xbox to Controller === From http://steelbattalionnet.codeplex.com/SourceControl/latest#SBC/SteelBattalionController.cs 22 bytes {| class="wikitable" !Field !Offset (Bytes) !Mask !Notes |- |Start |0 |0x00 | |- |bLen (22 bytes) |1 |0x16 | |- |EmergencyEject |2 |0x0F | |- |CockpitHatch |2 |0xF0 | |- |Ignition |3 |0x0F | |- |Start |3 |0xF0 | |- |OpenClose |4 |0x0F | |- |MapZoomInOut |4 |0xF0 | |- |ModeSelect |5 |0x0F | |- |SubMonitorModeSelect |5 |0xF0 | |- |MainMonitorZoomIn |6 |0x0F | |- |MainMonitorZoomOut |6 |0xF0 | |- |ForecastShootingSystem |7 |0x0F | |- |Manipulator |7 |0xF0 | |- |LineColorChange |8 |0x0F | |- |Washing |8 |0xF0 | |- |Extinguisher |9 |0x0F | |- |Chaff |9 |0xF0 | |- |TankDetach |10 |0x0F | |- |Override |10 |0xF0 | |- |NightScope |11 |0x0F | |- |F1 |11 |0xF0 | |- |F2 |12 |0x0F | |- |F3 |12 |0xF0 | |- |MainWeaponControl |13 |0x0F | |- |SubWeaponControl |13 |0xF0 | |- |MagazineChange |14 |0x0F | |- |Comm1 |14 |0xF0 | |- |Comm2 |15 |0x0F | |- |Comm3 |15 |0xF0 | |- |Comm4 |16 |0x0F | |- |Comm5 |16 |0xF0 | |- | |17 |0x0F | |- |GearR |17 |0xF0 | |- |GearN |18 |0x0F | |- |Gear1 |18 |0xF0 | |- |Gear2 |19 |0x0F | |- |Gear3 |19 |0xF0 | |- |Gear4 |20 |0x0F | |- |Gear5 |20 |0xF0 | |- |Unused? |21 | |- |} == Related links == [https://github.com/xqemu/xqemu/blob/xbox/hw/xbox/xid.c XID emulation in XQEMU] [https://docs.google.com/spreadsheets/d/1-c1tXfOMvaWuno3ixQyI_rPCQVAZA24N4v9OPZUSrCk/edit?usp=sharing Compilation of Xbox Controller Hardware Research] 8cbaba449f7becf32c5c01e8bf14823916e6f100 0 4 7322 6297 2023-04-01T05:16:30Z Ieee802dot11ac 2549 Add Milo games wikitext text/x-wiki There might also be games which were released for Xbox 360 but not the original Xbox. I forgot to respect that with grep, so I'll remove them manually... = GoldSrc = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Counter-Strike]] |} = id Tech 3 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Return to Castle Wolfenstein: Tides of War]] |- | [[Soldier of Fortune II: Double Helix]] |- | [[Star Wars: Jedi Knight II: Jedi Outcast]] |- | [[Star Wars: Jedi Knight: Jedi Academy]] |- | [[007: Everything or Nothing]] |- | [[007: Agent Under Fire]] |} = id Tech 4 = id Tech 4 was scaled down for Xbox{{citation needed}}. {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Doom 3]] |- | [[Doom 3: Resurrection of Evil]] |} = Source Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Half-Life 2]] |} = CryEngine 1 = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Far Cry Instincts]] |- | [[Far Cry Instincts: Evolution]] |} = Torque Game Engine = {| class="wikitable sortable" font-size:90%;" ! Title |- | [[Marble Blast Gold]] |- | [[ThinkTanks]] |} = Renderware = {| class="wikitable sortable" font-size:90%;" !Title |- |[[AFL Live 2003]] |- |[[AFL Live 2004]] |- |[[AFL Live Premiership Edition]] |- |[[Battlefield 2: Modern Combat]] |- |[[Black]] |- |[[Blitz: The League]] |- |[[Broken Sword: The Sleeping Dragon]] |- |[[Burnout]] |- |[[Burnout 2: Point of Impact]] |- |[[Burnout 3: Takedown]] |- |[[Burnout Revenge]] |- |[[Call of Duty: Finest Hour]] |- |[[Cold Fear]] |- |[[Commandos: Strike Force]] |- |[[Darkwatch]] |- |[[Dead to Rights II]] |- |[[Evil Dead: Regeneration]] |- |[[Gauntlet: Seven Sorrows]] |- |[[Grand Theft Auto III]] |- |[[Grand Theft Auto: Vice City]] |- |[[Grand Theft Auto: San Andreas]] |- |[[Harry Potter and the Prisoner of Azkaban]] |- |[[Harry Potter and the Goblet of Fire]] |- |[[Headhunter Redemption]] |- |[[Hello Kitty: Roller Rescue]] |- |[[Kill Switch]] |- |[[Madagascar]] |- |[[Manhunt]] |- |[[Max Payne 2: The Fall of Max Payne]] |- |[[Major League Baseball 2K5]] |- |[[Mortal Kombat: Armageddon]] |- |[[Mortal Kombat: Deadly Alliance]] |- |[[Mortal Kombat: Deception]] |- |[[NBA Ballers]] |- |[[NFL Blitz 2003]] |- |[[Rugby League]] |- |[[ObsCure]] |- |[[Outlaw Golf 2]] |- |[[Puyo Pop: Fever]] |- |[[RoboCop]] |- |[[Rolling]] |- |[[Alfa Romeo Racing Italiano]] |- |[[Secret Weapons Over Normandy]] |- |[[Shadow the Hedgehog]] |- |[[Sonic Heroes]] |- |[[SpongeBob SquarePants: Battle for Bikini Bottom]] |- |[[Tech Deck Dude Bare Knuckle Grind]] |- |[[Teenage Mutant Ninja Turtles: Mutant Melee]] |- |[[The Incredibles: Rise of the Underminer]] |- |[[The Incredibles]] |- |[[The SpongeBob SquarePants Movie Game]] |- |[[The Warriors]] |- |[[Tony Hawk's Pro Skater 3]] |- |[[Tony Hawk's Pro Skater 4]] |- |[[Total Overdose: A Gunslinger's Tale in Mexico]] |- |[[Toxic Grind]] |- |[[Without Warning]] |- |[[Yourself!Fitness]] |} = Unreal Engine 1 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |[[New Legends]] |UT Build 613 |} = Unreal Engine 2 = {| class="wikitable sortable" font-size:90%;" !Title !Engine Version |- |- |[[Advent Rising]] |UE2 Build 2226 |- |[[America's Army: Rise of a Soldier]] |UT2003 Build 928 |- |[[Brothers in Arms: Earned in Blood]] |UE2 Build 2226 |- |[[Brothers in Arms: Road to Hill 30]] |UE2 Build 2226 |- |[[Combat: Task Force 121]] |UE2 Build 2110 |- |[[Dead Man's Hand]] |UE2 Build 2110 |- |[[Deus Ex: Invisible War]] |Warfare Build 777 |- |[[Land of the Dead: Road to Fiddler's Green]] |UE2 BUild 2226 |- |[[Magic the Gathering: Battlegrounds]] |Warfare Build 926 |- |[[Men of Valor]] |Warfare Build 926 |- |[[Open Season]] |Warfare Build 927 |- |[[Pariah]] |UT2003 Build 928 with some UE2.5 code |- |[[Shadow Ops: Red Mercury]] |UE2 Build 2110 |- |[[Star Wars: Republic Commando]] |UE2 Build 2226 |- |[[Thief: Deadly Shadows]] |Warfare Build 777 |- |[[Tom Clancy's Ghost Recon: Advanced Warfighter]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3]] |Warfare Build 927 |- |[[Tom Clancy's Rainbow Six 3: Black Arrow]] |Warfare Build 927 |- |[[Tom Clancy's Splinter Cell]] |Warfare Build 829 |- |[[Tom Clancy's Splinter Cell: Chaos Theory]] |Warfare Build 829 - Singleplayer & Co-op mode UE2 Build 2110 - Versus mode |- |[[Tom Clancy's Splinter Cell: Double Agent]] |Warfare Build 829 - Offline mode<br>UE2 Build 2110 - Online mode |- |[[Tom Clancy's Splinter Cell: Pandora Tomorrow]] |Warfare Build 829 - Singleplayer mode<br>UE2 Build 2110 - Multiplayer mode |- |[[Unreal II: The Awakening]] |Warfare Build 829 - Retail box<br>UE2 Build 2001 - Patch v1403 |- |[[Unreal Championship]] |UT2003 Build 928 |- |[[Unreal Championship 2: The Liandri Conflict]] |UE2 build 2227 with some UE2.5 code<br>(UE2X) |- |[[Warpath]] |UT2003 Build 928 with some UE2.5 code |- |[[World War II Combat: Road to Berlin]] |UE2 Build 2110 |- |[[World War II Combat: Iwo Jima]] |UE2 Build 2110 |- |[[XIII]] |Warfare Build 829 |} = Milo Engine = This is Harmonix's in-house game engine. {| class="wikitable sortable" font-size:90%;" !Title |- |[[Karaoke Revolution]] |- |[[Karaoke Revolution Party]] |} *Contains information from ^{[https://en.wikipedia.org/wiki/List_of_CryEngine_games here]}, ^{[https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games here]}, ^{[https://en.wikipedia.org/wiki/Id_Tech_3 here]}, and ^{[https://en.wikipedia.org/wiki/List_of_RenderWare_games here]}. License: https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License 54d8b1db69bb7cc208a6f0a8195a0199637133e3 0 3700 7326 7032 2023-07-04T13:26:41Z Edness 2544 /* Security Sectors (SS.bin) */ wikitext text/x-wiki Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == Visible information on ring == '''The DVD inner ring usually contains:''' (The examples are from a German [[FIFA Soccer 2003]] disc) An outer portion with labels: * Outer ring Layer 1 ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) ** Mastering SID Code ("IFPI L126") * Inner ring for Layer 0 ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) ** Mastering SID Code ("IFPI L126") An inner porition with Xbox logo: * 3 times "XBOX" text with "X Logo" in the background on each side * 1 time "XBOX" text with blank background * 3 times "XBOX" text with "X Logo" in the background on each side * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) ** 4 times a Xbox logo ** 2 times the word "genuine" ** and in the middle the word ASPnnnn where n is a number{{citation needed}} ''' ASP code ''' [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} {| class="wikitable" |- ! ASP number ! found on ! game serial |- | ASP0180 | Xbox Hardware Refresh Disc | XB01101W |- | ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |- | ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |- | ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |- | ASP5180 | Rayman 3 hoodlum havoc | |- | ASP5280 | Xbox Music Mixer | MS09005A-MS |} == Dumps == === Files === ===== Example timestamps ===== Timestamps for [[Petit Copter]]: <pre> 126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp </pre> ==== Disc Manufacturing Information (DMI.bin) ==== READ DVD STRUCTURE with format 0x04 DMI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u32? || Unknown || Always 1? |- |4 || u32? || Unknown || Always zero? |- |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] |- |16 || u64 || || Some timestamp? |- |24 || u32? || Unknown || Always 2? |} ==== Physical Format Information (PFI.bin) ==== READ DVD STRUCTURE with format 0x00 Read from the Lead-In. PFI (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each |- |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each |- |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit |- |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each |- |4 || u8 || || Always zero |- |5 || u24 || Starting Physical Sector Number of Data Area || |- |8 || u8 || || Always zero |- |9 || u24 || End Physical Sector Number of Data Area || |- |12 || u8 || || Always zero |- |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs |} From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) ==== Security Sectors (SS.bin) ==== Challenge entry (11 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |- |1 || u8 || Challenge id || |- |2 || u32 || Challenge value || |- |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |- |7 || u32 || Response value || |} Security sector range (9 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |3 || u24 || Start PSN || |- |6 || u24 || End PSN || |} Unknown1 (44 Bytes) {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) |- |8 || u32 || || Unknown (XBE Certificate timestamp for 1183, empty for 1503) |- |27 || u8 || || Unknown |- |28 || u8[16] || || Unknown |} Complete format (2048 Bytes): {| class="wikitable" ! Offset !! Type !! Field !! Notes |- |0 || PFI || Physical Format Information || PFI for the actual data, unknown size |- |720 || u32 || Unknown || |- |768 || u8 || Version of challenge table || Always 1 |- |769 || u8 || Number of challenge entries || Always 23 |- |770 || Challenge entry[] || Encrypted challenge entries || |- |1055 || u64 || || Some large number timestamp? |- |1083 || u8[16] || || Unknown |- |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries |- |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) |- |1247 || u8[256] || Signature A || For hash in previous field |- |1503 || Unknown1 || || Unknown |- |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) |- |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) |- ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) |- |1632 || u8 || Number of security sector ranges || Always 23 |- |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |- |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |} All other fields are assumed to be zero! ===== Decryption of challenge entries ===== Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2. === Dumping === To dump Xbox Game Discs you need one of the following drives / firmwares: {| class="wikitable" !Drive !Standard !Original Firmware download !Name of modified Firmware for dumping |- |{{FIXME|reason=Which drives?}} | | | * 0800{{citation needed}} |- |Toshiba SD-M2012C |IDE | | * Kreon{{citation needed}} |- |Samsung SH-D162C |IDE |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03^Korean] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04^Korean] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] |rowspan=2 | * TS04 Kreon 0.5 (June 23rd 2006) * TS04 Kreon 0.60 (July 30th 2006) * TS04 Kreon 0.80 (September 9th 2006) * TS04{{FIXME|reason=README claims SB00}} Kreon 0.81 (October 4th 2006) * TS05{{FIXME|reason=README claims SB01}} Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H352C |IDE |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00^Korean] |- |Samsung SH-D162D |IDE |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * SB00 Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H352D |IDE |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] |- |Samsung SH-D163A |SATA |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] |rowspan=2 | * Kreon 0.80 (October 17th 2006) * SB01 Kreon 1.00 (October 9th 2007) |- |Toshiba TS-H353A |SATA | |- |Samsung SH-D163B |SATA |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] |rowspan=2 | * Kreon 1.00 (November 18th 2007) |- |Toshiba TS-H353B |SATA |CH01{{FIXME|reason=https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe dead}} |} Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated. Flashing software: * [https://web.archive.org/web/20160904080433/http://www.tsstodd.com:80/TotalLib/popup/Download.asp?path=program&lang=eng&fname=TSDNMAC.ZIP TSDNMAC] for MacOS * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP * [https://web.archive.org/web/20100105230358/http://samsungodd.com/KorLib/File/Tsdnwin.exe TSDNWIN] for Microsoft Windows Vista and 7 * [https://web.archive.org/web/20060328075340/http://www.samsungodd.com/eng/information/Application/Files/sfdndos.exe SFDNDOS] [https://web.archive.org/web/20060328072528/http://www.samsungodd.com/eng/information/Application/Files/Sfdndosm.exe SFDNDOSM] and the newer TSDNDOS ([https://www.dell.com/support/home/de/de/debsdt1/drivers/driversdetails?driverid=r205571 included here]) for Microsoft DOS For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. ==== USB Adapters ==== There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. {|class="wikitable" ! Adapter Model / USB VID:DID ! Drive Model ! Notes |- | [https://www.amazon.com/Vantec-CB-ST00U3-NexStar-Optical-Storage/dp/B07452Z3KH Vantec CB-ST00U3 NexStar USB 3.0 to SATA 6Gbps Optical/Storage Adapter] <code>152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp</code> | TS-H353B/DEWH <code>H/W:A Ver.B APRIL 2007</code> | Windows 11. No extra drivers required. Drive flashed. Works with MFP 2.3. |- | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] <code>174c:55aa ASMedia Technology Inc.</code> | SH-D163B/BEBE <code>H/W:A Ver.B SEPTEMBER 2008</code> | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. '''These adapters did NOT work with two separate TS-H353B drives on Windows (No media detected, extremely slow to respond).''' |- | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] <code>1f75:0611 Innostor Technology Corporation</code> | SH-D162D/BEWE <code>H/W:A Ver.D JULY 2007</code> | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |} === Xbox related commands === ==== Enable Unlock 1 (xtreme) state ==== Supported by: Kreon 1.00 <pre>FF 08 01 01</pre> Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. ==== Set Lock State ==== Supported by: Kreon 1.00 <pre>FF 08 01 11 xx</pre> * <code>xx=00</code> - Drive locked (no unlock state) * <code>xx=01</code> - Unlock State 1 (xtreme) enabled * <code>xx=02</code> - Unlock state 2 (wxripper) enabled ==== SS extract command ==== Supported by: Kreon 1.00 <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> This is the well known from the xtreme firmware. ==== Get Feature List ==== Supported by: Kreon 1.00 <pre>FF 08 01 10</pre> This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: XBOX 360 related features: * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0120</code> : The drive can read and decrypt the SS * <code>0x0121</code> : The drive has full challenge response functionality XBOX related features: * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) * <code>0x0220</code> : The drive can read and decrypt the SS * <code>0x0221</code> : The drive has full challenge response functionality General drive features: * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command * <code>0xF001</code> : The drive supports error skipping This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. == References and links == * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] 9ef1ed4d9813445d8a77383f864463e99914a6e4 0 3706 7327 7292 2023-07-04T14:02:35Z Edness 2544 /* Title ID */ add missing publishers that are listed on redump wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. UNIX timestamp format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from (UNIX timestamp format). |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == LibraryVersion Table == {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |- ! 0x0008 ! 0x0002 | Major Version | Major version for this library (2-byte WORD). |- ! 0x000A ! 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |- ! 0x000C ! 0x0002 | Build Version | Build version for this library (2-byte WORD). |- ! 0x000E ! 0x0002 | Library Flags | Various flags for this library. The fields are: QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AP || Aquaplus |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CT || CTO S.p.A. |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KK || KiKi |- | KN || Konami |- | KO || KOEI |- | KT || Konami Tokyo |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XD || ''Xbox demo disk? (Japan?)'' |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | XX || Microsoft Windows Media Center Extender for Xbox |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: 45410017 [EA-023] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] e18a4af6e0d896a57b4ef3e05ef1b2228d85cd56 7334 7327 2023-09-24T11:18:39Z QuantX 2552 Specify hashing algorithm used to check each section wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. UNIX timestamp format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from (UNIX timestamp format). |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == LibraryVersion Table == {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |- ! 0x0008 ! 0x0002 | Major Version | Major version for this library (2-byte WORD). |- ! 0x000A ! 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |- ! 0x000C ! 0x0002 | Build Version | Build version for this library (2-byte WORD). |- ! 0x000E ! 0x0002 | Library Flags | Various flags for this library. The fields are: QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AP || Aquaplus |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CT || CTO S.p.A. |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KK || KiKi |- | KN || Konami |- | KO || KOEI |- | KT || Konami Tokyo |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XD || ''Xbox demo disk? (Japan?)'' |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | XX || Microsoft Windows Media Center Extender for Xbox |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: 45410017 [EA-023] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a 20 byte SHA-1 hash of the section that is checked by the Xbox to ensure the integrity of the sections. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] c6189ce551d1b7f5389f1db236d0707b041539e1 7335 7334 2023-09-26T07:32:42Z QuantX 2552 wikitext text/x-wiki {{DISPLAYTITLE:XBE}} XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft. The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources. = Image Header = The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian): {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |- ! 0x0004 ! 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |- ! 0x0104 ! 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |- ! 0x0108 ! 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |- ! 0x010C ! 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |- ! 0x0110 ! 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |- ! 0x0114 ! 0x0004 | TimeDate | Time and Date when this image was created. UNIX timestamp format. |- ! 0x0118 ! 0x0004 | Certificate Address | Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory. |- ! 0x011C ! 0x0004 | Number of Sections | Number of sections contained in this .XBE. |- ! 0x0120 ! 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |- ! 0x0124 ! 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are: MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |- ! 0x0128 ! 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. <span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span> |- ! 0x012C ! 0x0004 | TLS Address | Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure. |- ! 0x0130 ! 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |- ! 0x0134 ! 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |- ! 0x0138 ! 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |- ! 0x013C ! 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |- ! 0x0140 ! 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |- ! 0x0144 ! 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |- ! 0x0148 ! 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from (UNIX timestamp format). |- ! 0x014C ! 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |- ! 0x0150 ! 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |- ! 0x0154 ! 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |- ! 0x0158 ! 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data. This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). <span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span> |- ! 0x015C ! 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |- ! 0x0160 ! 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |- ! 0x0164 ! 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |- ! 0x0168 ! 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x016C ! 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |- ! 0x0170 ! 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |- ! 0x0174 ! 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |- ! 0x0178 ! 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |- ! 0x0180 ! 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |} == LibraryVersion Table == {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |- ! 0x0008 ! 0x0002 | Major Version | Major version for this library (2-byte WORD). |- ! 0x000A ! 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |- ! 0x000C ! 0x0002 | Build Version | Build version for this library (2-byte WORD). |- ! 0x000E ! 0x0002 | Library Flags | Various flags for this library. The fields are: QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |} == TLS Table == The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero. {| class="wikitable |- ! Offset ! Size ! Name ! Description |- ! 0x0000 ! 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |- ! 0x0004 ! 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |- ! 0x0008 ! 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |- ! 0x000C ! 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |- ! 0x0010 ! 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |- ! 0x0014 ! 0x0004 | Characteristics | Describes alignment. |} = Certificate = Each Xbox executable has a certificate that contains information about the title. * Time and date when the certificate was created * Title ID * Title name * Alternative title IDs * Allowed types of media that the executable can be run from (HD, DVD, CD, etc.) * Game region * Game ratings * Disk number * Version * LAN key raw data used for [[System Link]] * Signature key raw data (used to sign [[Xbox Savegame System|savegames]]) * Alternate signature keys * Original size of the certificate * Online service name (not present in early executables) * Run time security flags (not present in early executables) === Title ID === A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games) {| class=wikitable ! Publisher ID !! Name |- | AC || Acclaim Entertainment |- | AH || ARUSH Entertainment |- | AP || Aquaplus |- | AQ || Aqua System |- | AS || ASK |- | AT || Atlus |- | AV || Activision |- | AY || Aspyr Media |- | BA || Bandai |- | BL || Black Box |- | BM || BAM! Entertainment |- | BR || Broccoli Co. |- | BS || Bethesda Softworks |- | BU || Bunkasha Co. |- | BV || Buena Vista Games |- | BW || BBC Multimedia |- | BZ || Blizzard |- | CC || Capcom |- | CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}} |- | CM || Codemasters |- | CT || CTO S.p.A. |- | CV || Crave Entertainment |- | DC || DreamCatcher Interactive |- | DX || Davilex |- | EA || Electronic Arts (EA) |- | EC || Encore inc |- | EL || Enlight Software |- | EM || Empire Interactive |- | ES || Eidos Interactive |- | FI || Fox Interactive |- | FS || From Software |- | GE || Genki Co. |- | GV || Groove Games |- | HE || Tru Blu (Entertainment division of Home Entertainment Suppliers) |- | HP || Hip games |- | HU || Hudson Soft |- | HW || Highwaystar |- | IA || Mad Catz Interactive |- | IF || Idea Factory |- | IG || Infogrames |- | IL || [[Interlex Corporation]] |- | IM || Imagine Media |- | IO || Ignition Entertainment |- | IP || Interplay Entertainment |- | IX || InXile Entertainment {{citation needed}} |- | JA || Jaleco |- | JW || JoWooD |- | KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}} |- | KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}} |- | KK || KiKi |- | KN || Konami |- | KO || KOEI |- | KT || Konami Tokyo |- | KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}} |- | LA || LucasArts |- | LS || Black Bean Games (publishing arm of Leader S.p.A.) |- | MD || Metro3D |- | ME || Medix |- | MI || Microïds |- | MJ || Majesco Entertainment |- | MM || Myelin Media |- | MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}} |- | MS || Microsoft Game Studios |- | MW || Midway Games |- | MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}} |- | NK || NewKidCo |- | NL || NovaLogic |- | NM || Namco |- | OX || Oxygen Interactive |- | PC || Playlogic Entertainment |- | PL || Phantagram Co., Ltd. |- | RA || Rage |- | SA || Sammy |- | SC || SCi Games |- | SE || SEGA |- | SN || SNK |- | SS || Simon & Schuster |- | SU || Success Corporation |- | SW || Swing! Deutschland |- | TA || Takara |- | TC || Tecmo |- | TD || The 3DO Company (or just 3DO) |- | TK || Takuyo |- | TM || TDK Mediactive |- | TQ || THQ |- | TS || Titus Interactive |- | TT || Take-Two Interactive Software |- | US || Ubisoft |- | VC || Victor Interactive Software |- | VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}} |- | VU || Vivendi Universal Games |- | VV || Vivendi Universal Games {{citation needed}} |- | WE || Wanadoo Edition |- | WR || Warner Bros. Interactive Entertainment {{citation needed}} |- | XD || ''Xbox demo disk? (Japan?)'' |- | XI || XPEC Entertainment and Idea Factory |- | XK || ''Xbox kiosk disk?'' {{citation needed}} |- | XL || ''Xbox special bundled or live demo disk?'' {{citation needed}} |- | XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}} |- | XP || XPEC Entertainment |- | XR || Panorama |- | XX || Microsoft Windows Media Center Extender for Xbox |- | YB || YBM Sisa (South-Korea) |- | ZD || Zushi Games (formerly Zoo Digital Publishing) |} The title ID seems to double the information from the [[Xbox Game Disc]] mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000. '''Examples''': [[FIFA Soccer 2003]]: * DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe) * Title ID: 45410017 [EA-023] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America) * Title ID: 4D530004 [MS-004] [[Halo: Combat Evolved]]: * DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe) * Title ID: 4D530004 [MS-004] == Allowed media types == Allowed media types off which the executable is allowed to be run from. The following values are known: {| class=wikitable ! Media type !! Value |- |HARD_DISK || 0x00000001 |- |DVD_X2 || 0x00000002 |- |DVD_CD || 0x00000004 |- |CD || 0x00000008 |- |DVD_5_RO || 0x00000010 |- |DVD_9_RO || 0x00000020 |- |DVD_5_RW || 0x00000040 |- |DVD_9_RW || 0x00000080 |- |DONGLE || 0x00000100 |- |MEDIA_BOARD || 0x00000200 |- |NONSECURE_HARD_DISK || 0x40000000 |- |NONSECURE_MODE || 0x80000000 |- |MEDIA_MASK || 0x00FFFFFF |} = Sections = The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a 20 byte SHA-1 hash of the section that is checked by the Xbox to ensure the integrity of the sections. The SHA-1 hash is computed by prepending the length of the section (excluding any padding) as an unsigned 32-bit integer followed by the contents of the section itself. At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. == .text == The .text section contains all x86 subroutines to be executed by the [[CPU|processor]]. == .rdata == The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded. = Xbox Alpha executable format = Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}} = Resources and links = * [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1] [[Category:Fileformats]] 1912983c6abb75c5c213fd341e5381488eb7ff5a 0 3669 7329 6963 2023-08-19T19:52:10Z Doom 2542 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 (DVT6) ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] ** GPU has a fan on the heat sink ** Samsung M-die RAM chips * Xbox 1.1 (QT) ** USB controller moved onto the motherboard ** Fan removed from the GPU heat sink * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout, Motherboard revision codenamed "XBLADE" ** Switched to ATX Power connector ** Samsung D-die RAM chips * Xbox 1.3 ** Removed LFrame trace from MCPX BGA pad to via, disconnecting signal from LPC Port * Xbox 1.4 ** Switched to the "Focus" Video Encoder ** Samsung F-die RAM Chips ** Straps underneath MCPX updated to indicate new encoder & RAM types to xcodes * Xbox 1.6 (Tuscany) ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Allegedly, revision 1.5 had "3.3v and GND removed from LPC". But there has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. This rumor likely originated from an incorrect measurement, or a damaged board. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original Xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. A news article officially announcing Thomson to be producing the DVD drive for the original Xbox back in 20 Juli of 2000[https://web.archive.org/web/20000829085016/http://www.codejunkies.com:80/archive/thomson_supplier_for_xbox.htm] ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6035/21 ==== Also named: VAD6011/21 appears to have no brand or part number on its large main controller, might be Cirrus Logic based on its size and use of a Philips secondary smaller MCU. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC DVD-ROM drive Pioneer 500M with the Philips firmware to be an Xbox DVD-ROM drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 1c1a5342d50588adc3978c14db20ff014649aa72 7330 7329 2023-08-19T19:59:14Z Doom 2542 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 (DVT6) ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] as a 'bodge' for a bug in MCPX B2 silicon ** GPU has a fan on the heat sink ** Samsung M-die RAM chips * Xbox 1.1 (QT) ** MCPX 1.1 (D1) with revised secret rom, also fixes bug which required the USB daughterboard ** Fan removed from the GPU heat sink ** Removed PLL conditioner for GPU/CPU base clock * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout, Motherboard revision codenamed "XBLADE" ** Switched to ATX Power connector ** Samsung D-die RAM chips * Xbox 1.3 ** Removed LFrame trace from MCPX BGA pad to via, disconnecting signal from LPC Port * Xbox 1.4 ** Switched to the "Focus" Video Encoder ** Samsung F-die RAM Chips ** Straps underneath MCPX updated to indicate new encoder & RAM types to xcodes * Xbox 1.6 (Tuscany) ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Allegedly, revision 1.5 had "3.3v and GND removed from LPC". But there has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. This rumor likely originated from an incorrect measurement, or a damaged board. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original Xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. A news article officially announcing Thomson to be producing the DVD drive for the original Xbox back in 20 Juli of 2000[https://web.archive.org/web/20000829085016/http://www.codejunkies.com:80/archive/thomson_supplier_for_xbox.htm] ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6035/21 ==== Also named: VAD6011/21 appears to have no brand or part number on its large main controller, might be Cirrus Logic based on its size and use of a Philips secondary smaller MCU. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC DVD-ROM drive Pioneer 500M with the Philips firmware to be an Xbox DVD-ROM drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 574c25e284fe6c1b47cc764228b4e067536483d5 7331 7330 2023-08-19T19:59:41Z Doom 2542 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 (DVT6) ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] as a 'bodge' for a bug in MCPX B2 silicon ** GPU has a fan on the heat sink ** Samsung M-die RAM chips * Xbox 1.1 (QT) ** MCPX D1 with revised secret rom, also fixes bug which required the USB daughterboard ** Fan removed from the GPU heat sink ** Removed PLL conditioner for GPU/CPU base clock * Xbox 1.2 ** TSOP Size now 256k (Initial Size 1024k) ** Updated Board Layout, Motherboard revision codenamed "XBLADE" ** Switched to ATX Power connector ** Samsung D-die RAM chips * Xbox 1.3 ** Removed LFrame trace from MCPX BGA pad to via, disconnecting signal from LPC Port * Xbox 1.4 ** Switched to the "Focus" Video Encoder ** Samsung F-die RAM Chips ** Straps underneath MCPX updated to indicate new encoder & RAM types to xcodes * Xbox 1.6 (Tuscany) ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Allegedly, revision 1.5 had "3.3v and GND removed from LPC". But there has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. This rumor likely originated from an incorrect measurement, or a damaged board. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original Xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. A news article officially announcing Thomson to be producing the DVD drive for the original Xbox back in 20 Juli of 2000[https://web.archive.org/web/20000829085016/http://www.codejunkies.com:80/archive/thomson_supplier_for_xbox.htm] ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6035/21 ==== Also named: VAD6011/21 appears to have no brand or part number on its large main controller, might be Cirrus Logic based on its size and use of a Philips secondary smaller MCU. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC DVD-ROM drive Pioneer 500M with the Philips firmware to be an Xbox DVD-ROM drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 5ed478c1df070527e4a6064b34983daf2c27bd22 7332 7331 2023-08-19T20:04:17Z Doom 2542 wikitext text/x-wiki There were several different retail Xbox hardware revisions, which include the following: * Xbox 1.0 (DVT6) ** USB controller is on a separate [[Motherboard#USB_Daughterboard|PCB]] as a 'bodge' for a bug in MCPX B2 silicon ** GPU has a fan on the heat sink ** Samsung M-die RAM chips * Xbox 1.1 (QT) ** MCPX D1 with revised secret rom, also fixes bug which required the USB daughterboard ** Fan removed from the GPU heat sink ** Removed PLL conditioner for GPU/CPU base clock * Xbox 1.2 ** Updated Board Layout, Motherboard revision codenamed "XBLADE" (1.2 -> 1.4) ** TSOP Size now 256k (Initial Size 1024k) ** Switched to ATX Power connector ** Samsung D-die RAM chips * Xbox 1.3 ** Removed LFrame trace from MCPX BGA pad to via, disconnecting signal from LPC Port * Xbox 1.4 ** Switched to the "Focus" Video Encoder ** Samsung F-die RAM Chips ** Straps underneath MCPX updated to indicate new encoder & RAM types to xcodes * Xbox 1.6 (Tuscany) ** New Board Layout with additional RAM Pads removed ** Removed data and power lines from LPC port ** Xyclops chip (includes ROM instead of flash = BIOS no longer flashable) ** Switched to the "XCalibur" Video Encoder ** Microsoft later switched to lower quality Hynix RAM. These Xboxes with non-Samsung RAM are sometimes referred to as 1.6b by the modding community. You can find more information about the hardware used in each revision below. == History of Xbox 1.5 == Allegedly, revision 1.5 had "3.3v and GND removed from LPC". But there has been no conclusive evidence pointing to their existence, and all 1.5 sightings to date have turned out to be 1.4 boards. This rumor likely originated from an incorrect measurement, or a damaged board. == Identifying == While not definitive, here are some ways to help identify the revision of your Xbox. === Manufacturing Details === {| class="wikitable" ! scope="col" | Date Range ! scope="col" | Revision ! scope="col" | Location |- | 01/2001–07/2002 || 1.0 || Hungary, Mexico |- | 08/2002-01/2003 || 1.1 || China, Mexico |- | 01/2003-03/2003 || 1.2 || China |- | 04/2003-07/2003 || 1.3 || China |- | 09/2003-03/2004 || 1.4,1.5 || China |- | 04/2004-09/2004 || 1.6 || China, Taiwan |- | 09/2004-08/2005 || 1.6b || China, Taiwan |} === Serial Number === The serial number looks like this: LNNNNNN YWWFF * L is the production line * NNNNNN is the number produced that week * Y is the last digit of the production year * WW is the number of the week * FF is the factory code Note, this table contradicts the previous table. {| class="wikitable" ! scope="col" | Factory ! scope="col" | Location ! scope="col" | Revision |- | 02 || Mexico || 1.0 or 1.1 |- | 03 || Hungary || 1.0 |- | 05 || China || 1.1 or later |- | 06 || Taiwan || 1.2 or later |} {| class="wikitable" ! scope="col" | Serial Number ! scope="col" | Revision |- | LNNNNNN 20WFF || 1.0 |- | LNNNNNN 21WFF || 1.0 |- | LNNNNNN 23WFF || 1.0 or 1.1 |- | LNNNNNN 24WFF || 1.1 |- | LNNNNNN 25WFF || 1.1 |- | LNNNNNN 30WFF || 1.2 |- | LNNNNNN 31WFF || 1.3 |- | LNNNNNN 32WFF || 1.3 |- | LNNNNNN 33WFF || 1.4 or 1.5 |- | LNNNNNN 42WFF || 1.6 |- | LNNNNNN 43WFF || 1.6b |} === DVD Drive === There are four retail drives known to be used by Microsoft in the retail version of the console. Any Xbox DVD drive can be used in any retail Xbox. List of Xbox DVD Drive manufacturers * Thomson (Xbox 1.0, 1.1) * Philips (Xbox 1.1 and above) * Samsung (Any) * Hitachi-LG (8050L)(mainly 1.6?) [[File:Xbox_drivedetermination.png|Xbox DVD Drive determination]] ==== THOMSON TGM600 ==== The first manufacture is sadly also the worst of all Dvdrom drives manufactured for the original Xbox. It has a Cirrus Logic CL-CR3710-60EC-F as its main controller and a 8/3062 HD 64F3062F25 16bit H8/300H secondary samller MPU,at 25Mhz Unkown sofar if there is external flash or if its inside the Cirrus Logic IC. A news article officially announcing Thomson to be producing the DVD drive for the original Xbox back in 20 Juli of 2000[https://web.archive.org/web/20000829085016/http://www.codejunkies.com:80/archive/thomson_supplier_for_xbox.htm] ==== SAMSUNG SDG605 ==== The Samsung drive is a very popular DVDrom drive for its compatibility for most media types and better quality laser. There are 2 mayor revisions found for this manufacturer * X00603-005 Plays CDR * X00603-006 Wont play CDR The DVDrom drive is using the MT1358E (MT1359E is the 360 Sata version) from Mediatek, and has a 39SF020A flashrom. If the firmware from this drive is applied to a SAMSUNG 616T or 616F PC dvd drive it will behave as a Xbox one, modified hardware will allow for tray state and eject to work. Commodore4Eva released a hacked firmware for this drive which enables modified backups to work. There is also a "0800" firmware for this drive which allows to dump the entire SS. The firmwares are not linked here for legal reasons. [https://web.archive.org/web/20060707104502/http://www.samsungodd.com:80/UploadFiles/FW/FWDOWNLOAD/ENG/200212101112342331_SD-616F_F105.ZIP Original firmware for the similar PC drive SD-616F (F105)]. ==== PHILIPS VAD6035/21 ==== Also named: VAD6011/21 appears to have no brand or part number on its large main controller, might be Cirrus Logic based on its size and use of a Philips secondary smaller MCU. flash might be a 39SF020A from SST. The laser ribbon cable connector is different for its various revisions, a detail one must take into account when swapping controller boards. There should be a tutorial on how to convert a PC DVD-ROM drive Pioneer 500M with the Philips firmware to be an Xbox DVD-ROM drive. ==== HITACHI-LG GDR-8050L ==== This DVD-rom drive, most commonly found in Xbox 1.6 and 1.6b is capable of reading DVD-+R, DVD-RW and CDRW media, but fails to boot most CD-R discs source: [http://www.xbox-hq.com/html/article1535.html xbox-hq.com Hitachi-LG GDR-8050L DVD Drive In Xbox]. The latest manufacture for the DVDrom drive probably used a Panasonic MN103S89FDA for its main controler, appears to have no external flashrom. with this firmware and modified hardware for Eject and traystate, a LG GDR-8163B or LG DRD-8160B might act as a drop in replacement after altering either case. On 30 January 2006 TheSpecialist posted at xboxhacker.net that he successfully flashed a Hitachi drive to boot a copied game on an unmodded xbox: [https://web.archive.org/web/20080316154615/http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=285.0 breakthrough: XBOX 1 firmware hacked !] There is also [https://gist.github.com/JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 an IDC Script and information about the firmware] which was recovered from xboxhacker.net / old forum posts. === Hard Drive === {| class="wikitable |- ! Revision ! Drive Manufacturer ! Drive Model Number ! Capacity |- | 1.0 | Seagate | ST310211A | 10G |- | 1.0 (XB:2001-10-26 FF=02) | Western Digital | WD80EB-00CGH0 | 8G |- | 1.1 (XB:2001-10-29 FF=03) | Western Digital | WD80EB-28CGH1 | 8G |- | 1.2 | Western Digital | WD80EB-28DFH2 | 8G |- | 1.3+ | Seagate | ST10014ACE | 10G |} === Video encoder === {| class="wikitable" ! scope="col" | Video Chip ! scope="col" | Revision |- | Conexant || 1.0, 1.1, 1.2, 1.3 |- | Focus || 1.4, 1.5 |- | Xcalibur || 1.6 |} === EEPROM === {| class="wikitable" ! Xbox Model ! Manufacturer ! Model |- | 1.4 (Others?) | Catalyst | CAT24WC02J |} === MCPX Version === {| class="wikitable" ! scope="col" | MCPX Version ! scope="col" | Revision |- | 1.0 || 1.0 |- | 1.1 || 1.1 - 1.6 |} === BIOS Version === {| class="wikitable" ! scope="col" | Kernel Version ! scope="col" | Revision |- | 3944, 4034, 4036, 4627 || 1.0 |- | 4817, 4972 || 1.1 |- | 5101, 5713 || 1.2 - 1.5 |- | 5838 || 1.6 |} == References == * [http://www.informit.com/articles/article.aspx?p=367210&seqNum=2 InformIT Methods of Identification] * [http://www.informit.com/articles/article.aspx?p=367210 InformIT Identifying your Xbox Revision] 99d056fe24479d805d0e5a0331ee66ac02a1b514 0 3991 7333 6795 2023-09-22T03:17:02Z QuantX 2552 Complete rewrite based on my reverse engineering of the XPR0 format as used by Steel Battalion and Steel Battalion: Line of Contact wikitext text/x-wiki '''XPR''' probably stands for '''Xbox Packed Resource'''. It's a structure and file-format used by the [[Microsoft XDK]]. It is being used in parts of [[XAPI]]. XPRs can store a variety of different data types that are useful for Xbox D3D. XPRs are storing data similar to internal structures in the D3D driver. So D3D has mechanisms to simply load such resources into D3D objects (by moving them into GPU accessible memory). An XPR header consists of a number of resource entries which each look something like this{{FIXME|Incomplete}}: <pre> struct { union { uint32_t resource_type; // Type information and who "owns" this resource struct { uint32_t ref_count:16; // (lowest bits) uint32_t type:3; uint32_t unk3:13; // (highest bits) }; }; uint32_t data; // Offset of this resource's data in the file uint32_t unknown; // Always zero union { struct XPR_Vertexbuffer; // Vertexbuffer (type 0x0) ... } XPR_Vertexbuffer; struct { // Indexbuffer (type 0x1) ... } XPR_Indexbuffer; struct { // Unknown (type 0x2) ... } ...; struct { // Unknown (type 0x3) ... } ...; struct { // Texture (type 0x4) ...; } XPR_Texture; struct { // Unknown (type 0x5) ... } ...; struct { // Unknown (type 0x6) ... } ...; struct { // Unknown (type 0x7) ... } ...; }; } XPR_Resource; </pre> The XPR header as a whole looks like this: <pre> union { struct { char magic[4]; // Always "XPR0" / 0x30525058 uint32_t size; // Size of XPR (including magic and this field) uint32_t header_size; // Size of this header rounded up to the nearest 2048 byte boundary XPR_Resource resources[]; // An array of XPR_Resource entries uint32_t last_resource; // Always 0xFFFFFFFF }; uint8_t pad[XPR.header_size]; // Padded with 0xAD bytes } XPR; </pre> The headers are then followed by the resource data. ---- Texture data can be stored in a variety of hardware defined formats as specified by the architecture of the NV2A GPU. The format used, along with other information such as width, height, depth, and mipmap levels is stored in the resource header for the texture. The format for an XPR texture resource is as follows: <pre> struct { union { uint32_t gpu; // This 32-bit value is placed in the NV097_SET_TEXTURE_FORMAT GPU register struct { uint32_t dma : 4; (lowest bits) uint32_t dimensions : 4; // Is this a 1D, 2D, or 3D texture uint32_t format : 8; // The format of the texture data (see the table below) uint32_t levels : 4; // Number of mipmap levels uint32_t width : 4; // Width of the texture in the following format: actual_width = (1 << width) uint32_t height : 4; // Height of the texture in the following format: actual_height = (1 << height) uint32_t depth: 4; (highest bits) // Depth of the texture (for 3D textures) in the following format: actual_depth = (1 << depth) }; }; union { uint32_t size; // Describes the size of a texture who's dimensions are not a power-of-2 struct { uint32_t width : 12; (lowest bits) // The width of the texture in the following format: actual_width = width + 1 uint32_t height : 12; // The height of the texture in the following format: actual_height = height + 1 uint32_t depth : 8; (highest bits) // The depth of the texture (for 3D textures) in the following format: actual_depth = depth + 1 } }; } XPR_Texture; </pre> For textures that use arbitrary dimensions the width, height, and depth attributes of the gpu field should be zero. For textures such as DXT that use power-of-2 dimensions the size field should be zero. The following as a list of texture formats which can be used for the format attribute of the gpu field: <pre> NV097_SET_TEXTURE_FORMAT_COLOR_SZ_A1R5G5B5 0x02 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_X1R5G5B5 0x03 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_A4R4G4B4 0x04 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_R5G6B5 0x05 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_A8R8G8B8 0x06 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_X8R8G8B8 0x07 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_I8_A8R8G8B8 0x0B NV097_SET_TEXTURE_FORMAT_COLOR_L_DXT1_A1R5G5B5 0x0C NV097_SET_TEXTURE_FORMAT_COLOR_L_DXT23_A8R8G8B8 0x0E NV097_SET_TEXTURE_FORMAT_COLOR_L_DXT45_A8R8G8B8 0x0F NV097_SET_TEXTURE_FORMAT_COLOR_LU_IMAGE_R5G6B5 0x11 NV097_SET_TEXTURE_FORMAT_COLOR_LU_IMAGE_A8R8G8B8 0x12 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_A8 0x19 NV097_SET_TEXTURE_FORMAT_COLOR_LU_IMAGE_X8R8G8B8 0x1E NV097_SET_TEXTURE_FORMAT_COLOR_LU_IMAGE_DEPTH_Y16_FIXED 0x30 NV097_SET_TEXTURE_FORMAT_COLOR_SZ_A8B8G8R8 0x3A NV097_SET_TEXTURE_FORMAT_COLOR_LU_IMAGE_A8B8G8R8 0x3F </pre> f2496dd1c63ee31bf02b94c9ded45e5ea9d46662 0 3756 7336 7294 2023-10-01T04:46:32Z Ryzee119 2519 Add TUSB2046B errata note wikitext text/x-wiki For a list of differences between these mainboards, also see [[Hardware Revisions]]. == Xbox 1.0 == * [https://docs.google.com/spreadsheets/d/1oT4OtE95sguxA5KZrlwC_XEF3nlpzrql1ESycBGPtDA/edit#gid=0 Some measurements of passive components by Redherring32 (The Fish)]{{FIXME|reason=Taken from https://discordapp.com/channels/428359196719972353/428359434230693899/592363537343447040}} [[File:Xbox-Motherboard-BR.jpg|400px|thumb|right|Xbox Version 1.0 Motherboard]] The following table is based on an Xbox 1.0{{citation needed}} retail board. {| class="wikitable" !| Device ! Loc. ! Part Number ! Manufacture ! Description |- | U2D1 | D-2 | Pentium III (Coppermine) | Intel | 733MHz CPU 133MHz FSB 16Kb L1 cache 128Kb L2 cache |- | U2T1 | T-2 | SC1186 | Semtech | Programmable Synchronous DC/DC Converter |- | U3B1 | B-3 | LM358D | Phillips | Dual Operational Amplifier |- | U3B2 | B-4 | XGPU | nVidia | Graphics Processing Unit |- | U3R1 | R-3 | CY23S05 | Cypress | Low-Cost 3.3V Spread Aware Zero Delay Buffer |- | U3T1 | T-3 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U4B1 | B-4 | CX25871 | Conexant | Digital Video Encoder (same pinout as Bt868/869) |- | U4G1 | G-5 | SC1110CS | Semtech | Sink and Source DC/DC Controller for Termination Power Supply |- | U5F1 | F-5 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6A1 | A-6 | LF353 | Texas Instruments | Dual General-Purpose JFET-input Operational Amplifier |- | U6B1 | B-6 | WM9709 | Wolfson Micro | High-quality stereo audio DAC (Digital to Analog converter) |- | U6D1 | D-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U6E1 | E-6 | MCPX | nVidia | Media and Communications Processor |- | U6F1 | F-6 | ADM1032 | Analog Devices | +-1°C Remote and Local System Temperature Monitor |- | U6N1 | N-6 | K4D263238M | Samsung | 1Mx32Bitx4 DDR Synchronous RAM |- | U7B1 | B-7 | 1893AF | Integrated Circuit Systems | 3.3V 10Base-T/100Base-TX Integrated PHYceiver |- | U7B2 | B-7 | PIC16LC63A-04/S0 | Microchip | Low voltage 8bit CMOS microcontroller with A/D converter |- | U7C1 | C-7 | 388R | Integrated Circuit Systems | Quad PLL Quick Turn Clock Synthesizer |- | U7C2 | C-7 | BR24C02 | Rohm | I2C BUS compatible Serial EEPROM |- | U7C3 | C-7 | 331M | Integrated Circuit Systems | Single Output Clock |- | U7D1 | D-7 | M29F080A | ST Microelectronics | 8 MBit (1MB X8, Uniform block) single supply flash memory |- | U7P1 | P-7 | <empty> | <n/a> | <n/a> |} === USB Daughterboard === * [https://github.com/Teufelchen1/XBOX-USB-HUB Homemade PCB remake by Teufelchen] [[File:USB_Daughterboard_front.png|100px|thumb|right|Xbox Version 1.0 USB Daughterboard]] {| class="wikitable" !| Device ! Part Number ! Manufacture ! Description |- | U2 | TUSB2046B | Texas Instruments | 4-Port Hub for USB w/Optional Serial EEPROM Interface |} Part TUSB2046B has the following errata published by the Manufacturer (Ref https://www.ti.com/lit/pdf/sllz051). This is handled by the XDK software driver: TI has found that the TUSB2046B (also TUSB2077A and TUSB2036) has a slight violation in the manner that it determines the intended speed of an attached downstream device. By the intent of the USB specification (shown in Figure 7-19), the speed should be determined by sampling the DP or DM line following a 100ms debounce interval after either signal (DP or DM) first crosses the VIH threshold. The TUSB2046B (TUSB2077A, TUSB2036) actually samples the speed at the first VIH crossing and latches this value. This issue has only been observed recently with newer devices that either drive DM high or show excessive ringing during the initial connection, hence causing the speed detection to be seen as slow speed by the TUSB2046B (TUSB2077A, TUSB2036). Note that this device is used extensively in the USB 1.1 Gold tree suite, and this issue was never revealed, further pointing to the fact that some newer devices have less control on DM than previous devices, although this is allowed by the USB specification. TI has no planned fix in the pipeline but wants users to be aware of this issue, which can easily be avoided by guaranteeing that DP be asserted high before DM. In the event that a false low-speed detection is observed, the situation can be resolved by performing a CLEAR_PORT_FEATURE(PORT_ENABLE) followed by a RESET_PORT in the software driver, assuming both DP and DM are now stable. == Xbox 1.1 == * [https://web.archive.org/web/20180210173816/http://diy.sickmods.net/Tutorials/Xbox1/Hi-Res_Scans/ PCB scan by SICKmods]{{FIXME|reason=Should live in some repo or something; we also have permission to this; https://discordapp.com/channels/428359196719972353/428359434230693899/561462101214756876 / https://media.discordapp.net/attachments/428359434230693899/561462101214756874/image0.png}} {{FIXME}} == Xbox 1.2 == {{FIXME}} == Xbox 1.3 == {{FIXME}} == Xbox 1.4 == * [https://drive.google.com/drive/folders/1dmMwJkFyu6Tw6SPgfJd_9oZ6wLzpNlmX PCB scan by LoveMHz]{{FIXME|reason=Should live in some repo or something}} {{FIXME}} == Xbox 1.5 == {{FIXME}} == Xbox 1.6 == * [https://web.archive.org/web/20180210173816/http://diy.sickmods.net/Tutorials/Xbox1/Hi-Res_Scans/ PCB scan by SICKmods]{{FIXME|reason=Should live in some repo or something; we also have permission to this; https://discordapp.com/channels/428359196719972353/428359434230693899/561462101214756876 / https://media.discordapp.net/attachments/428359434230693899/561462101214756874/image0.png}} {{FIXME}} == References == * [https://web.archive.org/web/20040826151041/http://console-dev.com:80/IC.htm http://console-dev.com:80/IC.htm Documentation by PiXEL8] d3e7847bbd897eeb8769703713480ec6e315cbec 0 3 7338 7295 2023-10-25T14:06:04Z Thrimbor 2531 Fix dead links wikitext text/x-wiki == Xbox Post-Mortems by developers == === Xbox Launch === * GDC2002: [https://www.powershow.com/download/6f1ff7-NmE2O/Xbox_Launch_Lessons_Learned_powerpoint_ppt_presentation Xbox Launch: Lessons Learned] ([https://www.gdcvault.com/play/1022522/Xbox-Launch-Lessons Audio]) === Post processing === * CEDEC2002: [https://web.archive.org/web/20031212044938/http://www.daionet.gr.jp/~masa/column/2002-09-22.html DOUBLE-S.T.E.A.L techniques] ''(Japanese)'' * GDC2003: [https://web.archive.org/web/20031212140633/http://www.daionet.gr.jp/~masa/column/2003-03-21.html Frame Buffer Postprocessing Effects in DOUBLE-S.T.E.A.L (Wreckless)] ''(English)'' === HDR rendering === * GDC2004: [https://web.archive.org/web/20060404103630/http://www.daionet.gr.jp/~masa/column/2004-04-04.html Practical Implementation of High Dynamic Range Rendering] === Deferred Shading === * https://web.archive.org/web/20201024153643/https://sites.google.com/site/richgel99/index#TOC-Shrek-Xbox-and-Deferred-Shading * https://web.archive.org/web/20201024153427/https://sites.google.com/site/richgel99/home * https://web.archive.org/web/20201123202956/https://sites.google.com/site/richgel99/home/xbox-1-g-buffer-attribute-packing-pixel-shader * https://web.archive.org/web/20171008031141/http://www.tenacioussoftware.com/gdc_2004_deferred_shading.ppt == Random resources about Xbox hacking == * [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf Michael Steils Xbox Presentation from C3 in 2005] * https://media.ccc.de/v/19C3-399-xbox-linux * https://media.ccc.de/v/22C3-559-en-xbox_hacking * https://www.youtube.com/watch?v=6fOjGLCctEY * [http://www.bunniestudios.com/bunnie/proj/anatak/xboxmod.html Bunnies original Xbox page] * [https://www.nostarch.com/xboxfree Bunnies "Hacking the Xbox" e-book for free] * [http://web.archive.org/web/20010417064218/ddj.com/articles/2000/0008/0008a/0008a.htm?topic=graphics Article about Xbox Graphics (before release) from Dr. Dobbs] * [http://www.anandtech.com/show/853 Technical article about the Xbox by AnandTech] * [https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20video%20and%20slides/DEF%20CON%2030%20-%20Tristan%20Miller%20-%20Reversing%20the%20Original%20Xbox%20Live%20Protocols.mp4 Reversing the Original Xbox Live Protocols] presented by [[User:monocasa]] at DEF CON 30 (2022) == History == * [https://www.youtube.com/watch?v=rUODlNffWmU 3 Xbox Bosses Share Secrets of the Console's Past (Video)] * [https://www.youtube.com/watch?v=iWQb7LGH71s Xbox Assembly Line Tour (Video)] * [https://www.youtube.com/watch?v=_gOoI57q72M XBox Oral History Panel with Nick Baker, Todd Holmdahl, and Albert Penello (Video)] * [https://www.youtube.com/watch?v=2VCb-y7MC5U?t=1248 Behind the Code - Interview with Nick Baker (Video) intresting xbox part starts 20:48] == Background knowledge about related topics == === Graphics programming === * Meltdown 2001 (Microsoft Game development conference): [https://web.archive.org/web/20060203201117/https://www.microsoft.com/mscorp/corpevents/meltdown2001/presentations.asp Presentation slides] * GDC2001: [http://developer.download.nvidia.com/assets/gamedev/docs/GDC2K1_DX8_Pixel_Shaders.pdf DirectX8 Pixel Shaders] * [https://web.archive.org/web/20200130052343/http://download.nvidia.com/developer/Papers/ Papers by nvidia from Xbox era] * [https://web.archive.org/web/20191214222749/http://download.nvidia.com/developer/presentations/ Presentation slides by nvidia from Xbox era] * [https://web.archive.org/web/20200130053050/http://download.nvidia.com/developer/movies/ Presentation recordings by nvidia from Xbox era] * [https://web.archive.org/web/20191214215356/http://download.nvidia.com/developer/NVTextureSuite/ Texturing tools by nvidia from Xbox era] * [https://web.archive.org/web/20191214215706/http://download.nvidia.com/developer/Tools/ Tools by nvidia from Xbox era] * https://web.archive.org/web/20191214215240/http://download.nvidia.com/developer/Third_Party/ * http://iquilezles.org/www/index.htm * https://web.archive.org/web/20150408045127/http://freespace.virgin.net/hugo.elias/ * http://www.mvps.org/directx/indexes/ * https://www.gdcvault.com/play/247/CRYSIS-Next-Gen ''(Contains some parts which are also applicable to original Xbox)'' * [https://www.valvesoftware.com/en/publications Publications by Valve Software] * http://graphics.uni-konstanz.de/publikationen/Luft2006ImageEnhancementUnsharp/Luft2006ImageEnhancementUnsharp.pdf * [https://web.archive.org/web/20090518092325/http://www.daionet.gr.jp:80/~masa/column/index.html Masa's Column (DOUBLE-S.T.E.A.L / Wrecked developer)] * [https://fgiesen.wordpress.com/ Blog by ryg] * [http://filmicworlds.com/blog/ Filmic Worlds] * [https://web.archive.org/web/20191208134031/https://gpuopen.com/archive/gamescgi/cubemapgen/ AMD CubeMapGen tool for mipmapping cubemaps] 8c3b291daf777bcc068dc2a061a71cf7f528b424